Technology

Google Chrome extensions hack may have started much earlier than expected

January 3, 2025

New details have emerged regarding recent cyberattack
A malicious Google Chrome extension led to 400,000 users being infected with malware
Attackers were reportedly planning the campaign as early as March 2024

The recent cyberattack which hit security firm Cyberhaven and then affected a number of Google Chrome extenions may have been part of a ‘wider campaign’, new research has claimed.

A BleepingComputer investigation found the same code was injected into at least 35 Google Chrome extensions, which are being used by roughly 2.6 million users worldwide. This led to 400,000 devices being infected with malicious code through the CyberHaven extensions.

The campaign started as early as December 5, over two weeks earlier than first suspected, although command and control subdomains have been found dating back as far as March 2024.

Data loss prevention

Ironically, cybersecurity firm Cyberhaven is a startup which provides a Google Chrome extension aimed at preventing sensitive data loss from unapproved platforms, such as Facebook or ChatGPT.

In this particular case, the attack originated from a phishing email against a developer, which posed as a Google notification alerting the administrator that an extension was in breach of Chrome Web Store policies and at risk of being removed. The developer was encouraged to allow a ‘Privacy Policy Extension’, which then granted attackers permissions and allowed access.

After this, a new malicious version of the extension was uploaded, which bypassed Google’s security checks, and was spread to around 400,000 users thanks to automatic extension updates on Chrome.

It has now been discovered the attackers were aiming to collect Facebook data from victims through the extensions, and domains used in the attack were registered and tested back in March 2024, before a new set was created in November and December ahead of the incident.

“The employee followed the standard flow and inadvertently authorized this malicious third-party application,” Cyberhaven said in a statement.

“The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive an MFA prompt. The employee’s Google credentials were not compromised.”

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar