Cyber agency’s Chrome extension hijacked to steal consumer passwords

0
12
Cyber agency’s Chrome extension hijacked to steal consumer passwords


Information-loss prevention startup Cyberhaven says hackers printed a malicious replace to its Chrome extension that was able to stealing buyer passwords and session tokens, in response to an e-mail despatched to affected prospects, who could have been victims of this suspected supply-chain assault.

Cyberhaven confirmed the cyberattack to TechCrunch on Friday however declined to touch upon specifics in regards to the incident. 

An e-mail from the corporate despatched to prospects, obtained and printed by safety researcher Matt Johansen, mentioned the hackers compromised an organization account to publish a malicious replace to its Chrome extension within the early morning of December 25. The e-mail mentioned that for purchasers operating the compromised browser extension, “it’s potential for delicate data, together with authenticated classes and cookies, to be exfiltrated to the attacker’s area.” 

Cyberhaven spokesperson Cameron Coles declined to touch upon the e-mail however didn’t dispute its authenticity. 

In a short emailed assertion, Cyberhaven mentioned its safety group detected the compromise within the afternoon of December 25 and that the malicious extension (model 24.10.4) was then faraway from the Chrome Net Retailer. A brand new authentic model of the extension (24.10.5) was launched quickly after. 

Cyberhaven provides merchandise that it says shield towards information exfiltration and different cyberattacks, together with browser extensions, which permit the corporate to watch for probably malicious exercise on web sites. The Chrome Net Retailer exhibits the Cyberhaven extension has round 400,000 company buyer customers on the time of writing.

When requested by TechCrunch, Cyberhaven declined to say what number of affected prospects it had notified in regards to the breach. The California-based firm lists know-how giants Motorola, Reddit, and Snowflake as prospects, in addition to legislation corporations and medical health insurance giants.

Based on the e-mail that Cyberhaven despatched to its prospects, affected customers ought to “revoke” and “rotate all passwords” and different text-based credentials, comparable to API tokens. Cyberhaven mentioned prospects also needs to evaluation their very own logs for malicious exercise. (Session tokens and cookies for logged-in accounts which might be stolen from the consumer’s browser can be utilized to log in to that account without having their password or two-factor code, successfully permitting hackers to bypass these safety measures.)

The e-mail doesn’t specify whether or not prospects also needs to change any credentials for different accounts saved within the Chrome browser, and Cyberhaven’s spokesperson declined to specify when requested by TechCrunch. 

Based on the e-mail, the compromised firm account was the “single admin account for the Google Chrome Retailer.” Cyberhaven didn’t say how the corporate account was compromised, or what company safety insurance policies have been in place that allowed the account compromise. The corporate mentioned in its transient assertion that it has “initiated a complete evaluation of our safety practices and will probably be implementing extra safeguards based mostly on our findings.” 

Cyberhaven mentioned it’s employed an incident response agency, which the e-mail to prospects says is Mandiant, and is “actively cooperating with federal legislation enforcement.”

Jaime Blasco, the co-founder and CTO of Nudge Safety, mentioned in posts on X that a number of different Chrome extensions have been compromised as apparently a part of the identical marketing campaign, together with a number of extensions with tens of hundreds of customers.

Blasco instructed TechCrunch that he’s nonetheless investigating the assaults and believes at this level that there have been extra extensions compromised earlier this 12 months, together with some associated to AI, productiveness, and VPNs.

“It appears it wasn’t focused towards Cyberhaven, however relatively opportunistically concentrating on extension builders,” mentioned Blasco. “I believe they went after the extensions that they may based mostly on the builders’ credentials that they’d.”

In its assertion to TechCrunch, Cyberhaven mentioned that “public studies recommend this assault was a part of a wider marketing campaign to focus on Chrome extension builders throughout a variety of firms.” At this level it’s unclear who’s chargeable for this marketing campaign, and different affected firms and their extensions have but to be confirmed.



Supply hyperlink

LEAVE A REPLY

Please enter your comment!
Please enter your name here