Beware of Chrome Extensions! Supply Chain Attack

In this post, we’ll break down a recent supply chain attack, likely targeting Facebook ad users. We’ll cover how malicious versions of Cyberhaven and other Chrome extensions appeared in the Google Chrome Web Store during the holiday break.

---

What Happened?

Cyberhaven, a publicly traded company valued at $488 million, specializes in data security. Despite their focus, they fell victim to a phishing attack. A Cyberhaven employee unknowingly authorized a malicious OAuth app named “Privacy Policy Extension” on their official Chrome Web Store developer account.

---

How Did the Attack Work?

1. Phishing Email: The employee received a polished phishing email, appearing to come from the Chrome Web Store.
2. Urgent Action Required: The message claimed the extension’s description had too many keywords and would be removed unless immediate action was taken.
3. OAuth Authorization: The email included a link. Clicking it led to a legitimate-looking Google authorization flow, where the employee unintentionally granted access to the malicious app.

Despite having Google Advanced Protection and multi-factor authentication (MFA) enabled, the phishing attack bypassed these layers. Cyberhaven confirmed that Google credentials were not compromised.

---

The Malicious Extension

Armed with developer access, the attacker uploaded a malicious version (24.10.4) of the Cyberhaven extension. It remained live for about 24 hours (Dec 25–26) before detection and removal.

• The malicious version was replaced with a safe version (24.10.5) immediately after detection.
• Users with automatic updates enabled unknowingly downloaded the infected version.

Cyberhaven assured users that CI/CD systems and code-signing keys were not breached.

---

What Did the Malware Do?

The malicious extension targeted Facebook ad accounts, specifically:

• Access tokens
• User IDs
• Account details via the Facebook API
• Business account data

Additionally, the malware included an advanced mouse-click listener specifically for facebook.com. When a user clicked on a page, the malware captured all images.

Why images? The attacker likely searched for QR codes to bypass CAPTCHAs and 2FA (two-factor authentication) prompts.

---

A Wider Attack

Cyberhaven wasn’t alone. Jaime Blasco, co-founder and CTO of Nudge Security, reported on LinkedIn that multiple Chrome extensions were compromised.

• The attacker created several fake domains, all hosted on the same IP address.
• At least five more extensions were affected:
  • Internxt VPN
  • VPNCity
  • Uvoice
  • ParrotTalks

---

Lessons Learned

• Phishing works, even on tech-savvy teams.
• OAuth permissions are a high-value target.
• MFA isn’t foolproof against social engineering.

For users: Always verify OAuth permissions. For companies: Regularly audit your Chrome Web Store accounts.

Stay cautious, and maybe don’t click that “urgent action required” email at 4 PM on Christmas Day.