Chrome-extension compromises highlight software supply challenges

On Christmas Eve, developers at data detection and response firm Cyberhaven received a troubling email that seemed to come from Google, threatening to remove access to the company's Chrome extension for violation of excessive metadata.

One employee clicked on the "Go To Policy" link, they were taken to Google's authorization application for adding privileges to a third-party application — in this case, a seemingly innocuous application named "Privacy Policy Extension" — and granted the software rights to see, edit, update, and publish to the Chrome Web Store. Once granted access, however, the attacker quickly uploaded a new Chrome extension modifying Cyberhaven's browser add-on to exfiltrate Facebook access tokens saved in the browser and install a mouse-click listener to possibly bypass captchas, according to a preliminary analysis of the breach by the firm's engineering team.

The malicious Chrome extension was only active for about a day before discovery, Howard Ting, CEO of Cyberhaven said in a statement.

"For browsers running the compromised extension during this period, the malicious code could have exfiltrated cookies and authenticated sessions for certain targeted websites," he said. "While the investigation is ongoing, our initial findings show the attacker was targeting logins to specific social media advertising and AI platforms."

Cyberhaven is not alone, but rather appears to be one of the first victims to detect the attack. So far, 36 different extensions — used by as many as 2.6 million people — appear to be linked in some way to the attack, the techniques, or to the infrastructure used by the attackers, according to an analysis by John Tuckner, founder of Secure Annex, a browser-extension management service. Until Cyberhaven detected the attack on its Chrome extensions, developers at other companies and independent programmers largely failed to detect similar compromises using the supply-chain attack.

Attackers Focus on Supply Chain

The attacks underscore the problems that companies have in securing their software supply chains. Most companies do not have visibility into much of the software — and cloud services replacing some software — that their employees are using on a daily basis, says Jaime Blasco, chief technology officer and cofounder at Nudge Security, a cloud application security service provider.

"Modern shadow IT is not just software," he says. "Every SaaS application that your employees are using, they grant access to tons of resources that no one knows about — that includes Chrome extensions and extensions in your IDEs. There's a lot of new attack surface that people are not paying attention to in the SaaS ecosystem."

Many companies do not pay attention to the potential for compromise through plug-ins that extend software applications, such as the Chrome browser and its extensions.

Yet, despite Google's updated security and privacy standards for Google Chrome extensions, attackers and researchers continue to find ways to inject malicious code into victims' browsers through the extension ecosystem. In 2021, for example, Google removed a Chrome extension that helped users shut down old tabs and their processes, after a cybercriminal group bought the extension from the original developer and used it to install malicious code on the systems of its approximately 2 million users. University researchers have also found ways to circumvent Google's security process to publish malicious Chrome extensions to the Chrome Web Store.

Overall, hundreds of millions of Chrome users have security-noteworthy extensions (SNEs) — those that contain malware, a vulnerability, or violate Google's policies — installed in their browsers, according to one study published Stanford University researchers.

To read the complete article, visit Dark Reading.