Dozens of malicious updates for Chrome browser extensions found by cybersecurity researchers, following a recent security firm compromise.
As of January 1st, 36 Chrome extensions with data-stealing code have been identified, primarily linked to AI tools and vpns, according to a report by ExtensionTotal, a platform that tracks browser extensions.
Around 2.6 million users have been affected by these extensions, which include tools like ChatGPT for Google Meet, Bard AI Chat, YesCaptcha Assistant, VPNCity, and Internxt VPN. Some companies have responded by removing or updating the compromised extensions, ExtensionTotal reports.
Last week, a phishing email enabled an unidentified threat actor to compromise an administrative account at the security firm Cyberhaven, allowing them to release a malicious version of the extension.
Claiming that Cyberhaven's extension breached Google’s policies, the phishing email threatened removal from the Chrome Web Store. According to Cyberhaven, the attackers primarily targeted Facebook Ads accounts to extract access tokens, user IDs, and advertising-related data.
It is still uncertain if a single threat actor is behind all the compromised extensions.
Researchers warn that browser extensions pose significant risks due to their deep access to sensitive data, such as authenticated sessions. Extensions can be easily updated and are frequently overlooked compared to conventional software in terms of security reviews.
Organizations are advised to use only pre-approved versions of extensions and ensure these versions remain secure, protected from unauthorized changes and malicious automatic updates.
