On December 26, 2024, Cyberhaven disclosed a significant supply chain attack targeting Chrome browser extensions.
The attackers leveraged phishing emails to deceive extension developers into authorizing a malicious OAuth application.
This application granted the attackers permissions to publish compromised versions of legitimate Chrome extensions on the Chrome Web Store.
The campaign, which began in mid-November 2024, compromised approximately a dozen extensions, potentially affecting hundreds of thousands of users.
Phishing Attack Exploits OAuth Permissions
The phishing emails mimicked official Chrome Web Store notifications, urging developers to comply with policy changes.
Once developers authorized the malicious OAuth application, the attackers deployed new versions of the extensions containing malicious code.
This code was designed to harvest sensitive user data, including API keys, session cookies, and authentication tokens from services such as ChatGPT and Facebook for Business.
Malicious Code and Data Harvesting
The malicious scripts embedded in compromised extensions operated in two key ways: background scripts and injected scripts.
The background scripts facilitated communication with command-and-control (C2) servers to fetch configuration files and execute actions such as exfiltrating data or validating tokens.
Injected scripts targeted specific URLs (e.g., ChatGPT or Facebook Business) to collect credentials and user data.
Notably, configurations retrieved from C2 servers revealed targeted endpoints for harvesting OpenAI API keys and Facebook Business account details.
Analysis of the adversary’s infrastructure uncovered a network of domains and servers used for phishing, redirection, and data exfiltration.
According to the Sekoia, these domains were registered with consistent patterns and hosted on VULTR’s autonomous system (AS 20473).
The attackers have been linked to campaigns dating back to at least 2023, initially distributing malicious extensions via fake websites before shifting to compromising legitimate extensions.
This attack highlights the risks posed by supply chain vulnerabilities in browser extensions.
By compromising trusted extensions, attackers can scale their operations with minimal effort while targeting sensitive user data.
The harvested data could be sold or exploited in further cyber campaigns.
To mitigate risks, affected users should update compromised extensions to clean versions or remove them entirely.
Additionally, they should revoke potentially exposed credentials, change passwords, and monitor account activity for suspicious behavior.
Developers are advised to enhance security awareness regarding phishing tactics and implement stricter access controls for publishing updates.
