Chrome Extension Compromises Highlight Software Supply Challenges

On Christmas Eve, developers at data detection and response firm Cyberhaven received a troubling email that seemed to come from Google, threatening to remove access to the company's Chrome extension for violation of excessive metadata.

One employee clicked on the "Go To Policy" link, they were taken to Google's authorization application for adding privileges to a third-party application — in this case, a seemingly innocuous application named "Privacy Policy Extension" — and granted the software rights to see, edit, update, and publish to the Chrome Web Store. Once granted access, however, the attacker quickly uploaded a new Chrome extension modifying Cyberhaven's browser add-on to exfiltrate Facebook access tokens saved in the browser and install a mouse-click listener to possibly bypass captchas, according to a preliminary analysis of the breach by the firm's engineering team.

The malicious Chrome extension was only active for about a day before discovery, Howard Ting, CEO of Cyberhaven said in a statement.

"For browsers running the compromised extension during this period, the malicious code could have exfiltrated cookies and authenticated sessions for certain targeted websites," he said. "While the investigation is ongoing, our initial findings show the attacker was targeting logins to specific social media advertising and AI platforms."

Cyberhaven is not alone, but rather appears to be one of the first victims to detect the attack. So far, 36 different extensions — used by as many as 2.6 million people — appear to be linked in some way to the attack, the techniques, or to the infrastructure used by the attackers, according to an analysis by John Tuckner, founder of Secure Annex, a browser-extension management service. Until Cyberhaven detected the attack on its Chrome extensions, developers at other companies and independent programmers largely failed to detect similar compromises using the supply-chain attack.

Attackers Focus on Supply Chain

The attacks underscore the problems that companies have in securing their software supply chains. Most companies do not have visibility into much of the software — and cloud services replacing some software — that their employees are using on a daily basis, says Jaime Blasco, chief technology officer and cofounder at Nudge Security, a cloud application security service provider.

"Modern shadow IT is not just software," he says. "Every SaaS application that your employees are using, they grant access to tons of resources that no one knows about — that includes Chrome extensions and extensions in your IDEs. There's a lot of new attack surface that people are not paying attention to in the SaaS ecosystem."

Many companies do not pay attention to the potential for compromise through plug-ins that extend software applications, such as the Chrome browser and its extensions.

Yet, despite Google's updated security and privacy standards for Google Chrome extensions, attackers and researchers continue to find ways to inject malicious code into victims' browsers through the extension ecosystem. In 2021, for example, Google removed a Chrome extension that helped users shut down old tabs and their processes, after a cybercriminal group bought the extension from the original developer and used it to install malicious code on the systems of its approximately 2 million users. University researchers have also found ways to circumvent Google's security process to publish malicious Chrome extensions to the Chrome Web Store.

Overall, hundreds of millions of Chrome users have security-noteworthy extensions (SNEs) — those that contain malware, a vulnerability, or violate Google's policies — installed in their browsers, according to one study published Stanford University researchers.

Gaining Access Rights Through Social Engineering

In the case of the developer phishing campaigns, attackers are collecting developer email addresses from the information published on the Chrome Web Store, sending phishing attacks aimed at those developers, and then compromising the code of any developers who fall prey to the attacks.

The attack does not need to steal a developer's credentials, but just convince the developer to grant the necessary permissions, says Secure Annex's Tuckner.

"The OAuth phishing attack used [by the attacker] is very scary and even worked around Cyberhaven's implementation of Advanced Protection, one of the most sophisticated authentication systems," he says. "I think developers need to be aware that an email address will be tied to the Chrome web store publicly and will be used as a primary method of contact, increasing its exposure."

Because attackers can layer a number of privileges into a single OAuth permissions request, quite a few suspicious behaviors can be stacked on top of each other in a single extension, he says.

"There are a handful of extensions that are quite susceptible to compromise, monetization, ownership transfers, and lack of hygiene, which I believe some threat actors have identified," he says. "For many I talk to, managing browser extensions can be a lower priority item in their security program. Folks know they can present a threat, but nothing has ever happened to make them a priority."

Time to Shore Up Extensions

In the coming year, Tuckner hopes that will change.

"I hope that the Chrome web store can become more transparent in how it operates before something worse happens," he says, adding: "The suspicious extension reporting process, while likely overwhelmed, is often met with silence, inaction, and no documentation trail."

Any developer with major browser extensions should not rely on the specific store provider to detect the attack, but regularly monitor their software deployments, he recommends. Because compromising an extension requires a new version of the code to be released, a peer-review and approval process for software releases can catch unusual deployments. In addition, developers should have an email security service that detects phishing attacks, separate their general-use emails from their development accounts, and require administrator approval of new access attempts.

For its part, Cyberhaven released a collection of scripts designed to help investigate the extent to which their own machines were impacted by the attack.

"As Cyberhaven assisted our customers in responding to the attack, it became apparent that limited tooling was available to quickly and accurately evaluate the spread of the impact," the company said in a December 31 blog post on the release of the tools, adding that "[t]hese scripts search for entries indicating that a malicious extension has exfiltrated data."

Companies should expect attacks using extensions of all sorts — for browsers, for integrated development environments (IDEs), and other extensible software platforms — to increase in the future, says Nudge Security's Blasco.

"Attackers know that companies have spent enough dollars to protect their endpoints," he says. "But, in other places — like SaaS applications and Chrome, for instance — you don't have enough visibility, and there is not enough security controls in place. So this [Chrome security issue] is just an evolution of what we are going to see happening more often."