{"id":52871,"date":"2025-01-15T11:20:00","date_gmt":"2025-01-15T16:20:00","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=52871"},"modified":"2025-01-15T11:20:00","modified_gmt":"2025-01-15T16:20:00","slug":"chrome-extension-malicious-updates-and-mitigations","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/chrome-extension-malicious-updates-and-mitigations\/52871\/","title":{"rendered":"How to defend against hijacking and trojanization of Chrome extensions"},"content":{"rendered":"

Right after Christmas, news broke<\/a> of a multi-stage attack targeting developers of popular Chrome extensions. Ironically, the biggest-name target was a cybersecurity extension created by Cyberhaven \u2014 compromised just before the holidays (we\u2019d previously warned<\/a> about such risks). As the incident investigation unfolded, the list grew to include no fewer than 35 popular extensions<\/a>, with a combined total of 2.5 million installations. The attackers\u2019 goal was to steal data from the browsers of users who installed trojanized updates of these extensions. The focus of the campaign was on stealing credentials for Meta services to compromise business accounts and display ads at victims\u2019 expense. However, that\u2019s not the only data that malicious extensions can steal from browsers. We explain how the attack works, and what measures you can take to protect yourself against it at different stages.<\/p>\n

Attacking developers: OAuth abuse<\/h2>\n

To inject trojan functionality into popular Chrome extensions, cybercriminals have developed an original phishing scheme. They send developers emails disguised as standard Google alerts claiming that their extension violates Chrome Web Store policies and needs a new description. The text and layout of the message mimic typical Google emails, so the victim is often convinced. Moreover, the email is often sent from a domain set up to attack a specific extension and containing the name of the extension in the actual domain name.<\/p>\n

Clicking the link in the email takes the user to a legitimate Google authentication page. After that, the developer sees another standard Google screen prompting to sign in via OAuth to an app called \u201cPrivacy Policy Extension\u201d, and to grant certain permissions to it as part of the authentication process. This standard procedure takes place on legitimate Google pages, except that the \u201cPrivacy Policy Extension\u201d app requests permission to publish other extensions to the Chrome Web Store. If this permission is granted, the creators of \u201cPrivacy Policy Extension\u201d are able to publish updates to the Chrome Web Store on behalf of the victim.<\/p>\n

In this case, there\u2019s no need for the attackers to steal the developer\u2019s password or other credentials, or to bypass multi-factor authentication (MFA). They simply abuse Google\u2019s system for granting permissions to trick developers into authorizing the publication of updates to their extensions. Judging by the long list<\/a> of domains registered by the attackers, they attempted to attack far more than 35 extensions. In cases where the attack was successful, they released an updated version of the extension, adding two files for stealing Facebook cookies and other data (worker.js and content.js).<\/p>\n

Attacking users<\/h2>\n

Chrome extensions typically receive updates automatically, so users who switched on their machines between December 25 and December 31, and opened Chrome, may have received an infected update of a previously installed extension.<\/p>\n

In this event, a malicious script runs in the victim\u2019s browser and sends data needed for compromising Facebook business accounts to the attackers\u2019 server. In addition to Facebook identifiers and cookies<\/a>, the malware steals information required to log in to the target\u2019s advertising account, such as the user-agent data to identify the user\u2019s browser. On facebook.com, even mouse-click data is intercepted to help the threat actors bypass CAPTCHA and two-factor authentication (2FA). If the victim manages ads for their company or private business on Meta, the cybercriminals get to spend their advertising budget on their own ads \u2014 typically promoting scams and malicious sites (malvertising<\/a>). On top of the direct financial losses, the targeted organization faces legal and reputational risks, as the fake ads are published under its name.<\/p>\n

The malware can conceivably steal data from other sites too, so it\u2019s worth checking your browser even if you don\u2019t manage Facebook ads for a company.<\/p>\n

What to do if you installed an infected extension update<\/h2>\n

To stop the theft of information from your browser, the first thing you need to do is to uninstall the compromised extension or update it to a patched version. See here<\/a> for a list of all known infected extensions with their current remediation status. Unfortunately, simply uninstalling or updating the infected extension is not enough<\/strong>. You should also reset any passwords and API keys that were stored in the browser or used during the incident period.<\/p>\n

Then, check the available logs for signs of communication with the attackers\u2019 servers. IoCs are available here<\/a> and here<\/a>. If communication with malicious servers was made, look for traces of unauthorized access in all services that were opened in the infected browser.<\/p>\n

After that, if Meta or any other advertising accounts were accessed from the infected browser, manually check all running ads, and stop any unauthorized advertising activity you find. Lastly, deactivate any compromised Facebook account sessions on all devices (Log out all other devices<\/a>), clear the browser cache and cookies, log in to Facebook again, and change the account password.<\/p>\n

Incident takeaways<\/h2>\n

This incident is another example of supply-chain attacks<\/a>. In the case of Chrome, it\u2019s made worse by the fact that updates are installed automatically without notifying the user. While updates are usually a good thing, here the auto-update mechanism allowed malicious extensions to spread quickly. To mitigate the risks of this scenario, companies are advised to do the following:<\/p>\n