In a supply chain attack that was first detected on Dec. 25, several Chrome extensions were compromised after a Cyberhaven employee was tricked by a phishing email that stole the worker’s credentials to the Google Chrome Web Store.
A Dec. 27 blog post by Cyberhaven explained the attacker used these credentials on Dec. 24 to publish a malicious version of Cyberhaven’s Chrome extension, version 24.10.4. Cyberhaven said its security team detected the compromise late on Christmas Day and removed the malicious package within one hour.
In this case, the compromised extension specifically targeted Facebook advertising users to steal access tokens, business account details, and ad account information while also attempting to bypass two-factor authentication (2FA) through QR code scanning, explained Stephen Kowski, Field CTO at SlashNext Email Security.
“The 24-hour exposure window during a major holiday potentially affected numerous users who had auto-updates enabled, creating a significant risk for Facebook advertising accounts and associated business data,” said Kowski.
Kowski said while various news stories on the incident focused more on the 2FA bypass aspect, the story was more about a sophisticated supply chain attack targeting Chrome extension developers. While the incident is serious and noteworthy, especially given its impact on Facebook advertising users, Kowski said the core issue centers on OAuth abuse and social engineering rather than a fundamental flaw in 2FA systems.
Itzik Alvas, co-founder and CEO of Entro Security, further explained that the phishing email masquerading as a legitimate communication from the Chrome Web Store led the employee to supply a malicious OAuth application with a legitimate non-human identity (NHI), which attackers used to exploit the developer account.
Alvas said the attackers leveraged this over-permissive access to publish a malicious extension version that was available for over 24 hours and automatically distributed to users with auto-update enabled.
“By manipulating OAuth tokens and API keys associated with the extension's development and distribution processes, the attackers were able to exploit NHIs to expand the scope of exposure and compromise additional resources and companies beyond the scope of the initial phishing email,” said Alvas.
Casey Ellis, founder at Bugcrowd, added that that attack was a concerted MFA bypass campaign with unfortunate, but clever, timing. Ellis said what’s interesting to him was the short window between a successful phish and the upload of the packaged malicious Chrome extension, suggesting that the attacker was prepared for a successful intrusion of Cyberhaven as a supply chain target, and that this was part of a broader coordinated campaign.
“The extensions themselves were focused on exfiltrating session cookies from user browsers, with a focus on targeting social media and AI platform for hijacking,” said Ellis. “The primary potential impact is account takeover of the hijacked accounts, with the usual associated downstream impacts. Cyberhaven’s Chrome extension counts enterprise and business users as its regular users, meaning that a successful compromise could impact business accounts, not just the accounts of regular internet users.”
