3 min Security

Cyberhaven breach caused by malicious Chrome extension

Cyberhaven breach caused by malicious Chrome extension

On Wednesday, Dec. 25, 2024, cybersecurity firm Cyberhaven was the target of a large-scale attack. Through their Chrome extension, 400,000 users were infected with malware.

Cyberhaven is a cybersecurity startup focusing on Data Loss Prevention (DLP). Their extension helps companies prevent sensitive information from entering unapproved platforms, such as ChatGPT or Facebook.

The attack began on Christmas Eve (Tuesday), when a Cyberhaven administrator received a disturbing email claiming that their Chrome extension violated Google’s policy. One would remove the extension from the Chrome Web Store. This is according to a reconstruction on Medium.com.

However, this email was a phishing attempt. The link in the email directed the administrator to a Google permission screen, which asked him for permission to use an application called Privacy Policy Extension. Attackers controlled this application, and they gained access through this permission to upload new versions of the extension to the Web Store.

After the attacker gained access, a malicious version of the extension was uploaded. Although Google performs security checks for new extensions, the malicious code was soon available to users. Because one updates extensions automatically, the new version spread to about 400,000 users.

Taking over user accounts

The malicious code allowed criminals to steal users’ sensitive information such as passwords and cookies. This enabled attackers to take over user accounts and obtain sensitive data. A few hours after the malicious version was published, Cyberhaven’s security team was notified of the attack. They took immediate action to remove the malicious code. On Friday, Dec. 27, Cyberhaven released a statement about the breach. This caused a shockwave in the cybersecurity community.

More parties affected

Following the attacking activity on Cyberhaven, further investigation was conducted, discovering that dozens of other popular Chrome extensions also contained the same malicious code. The attackers not only hit Cyberhaven but also infiltrated the developers of other extensions. It is estimated that more than one million computers have been infected with malicious code via extensions such as VPNCity and Reader Mode. So far, 16 identified extensions have been compromised.

One advises organizations and individual users to check if their systems are infected immediately. One way to do this is by consulting the Indicators of Compromise (IOCs) shared by Cyberhaven. To prevent future attacks, experts recommend applying Version Pinning, a technique that captures pre-approved versions of extensions. This prevents automatic updates to extensions from installing malicious versions.

In addition to securing specific extensions, companies should be alert to similar vulnerabilities in other software ecosystems, such as IDE extensions (e.g., Visual Studio Code) or code packages (such as NPM or Pypi). These types of attacks pose a classic problem for the software supply chain, where companies must balance security and productivity.