WEAK LINK IN THE CHAIN Time to check if you ran any of these 33 malicious Chrome extensions Two separate campaigns have been stealing credentials and browsing history for months. Dan Goodin Jan 3, 2025 7:15 am | 1 Credit: Getty Images Credit: Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreAs many of us celebrated the year-end holidays, a small group of researchers worked overtime tracking a startling discovery: At least 33 browser extensions hosted in Googles Chrome Web Store, some for as long as 18 months, were surreptitiously siphoning sensitive data from roughly 2.6 million devices.The compromises came to light with the discovery by data loss prevention service Cyberhaven that a Chrome extension used by 400,000 of its customers had been updated with code that stole their sensitive data.Twas the night before ChristmasThe malicious extension, available as version 24.10.4, was available for 31 hours, starting on December 25 at 1:32 AM UTC to Dec 26 at 2:50 AM UTC. Chrome browsers actively running the Cyberhaven during that window would automatically download and install the malicious code. Cyberhaven responded by issuing version 24.10.5, and a few days later 24.10.6.The Cyberhaven extension is designed to prevent users from inadvertently entering sensitive data into emails or websites they visit. Analyses of version 24.10.4 showed that it was configured to work with different payloads that were downloaded from cyberhavenext[.]pro, a malicious site the threat actor registered to give the appearance it was affiliated with the company. One recovered payload, Cyberhaven said, scoured user devices for browser cookies and authentication credentials for the facebook.com domain. A separate payload recovered by security firm Secure Annex stole cookies and credentials for chatgpt.com; Cyberhaven said the payload didn't appear functional.The malicious version came through a spear phishing email sent to the developers Google listed for the Cyberhaven extension on Christmas Eve. It warned that the extension wasnt in compliance with Google terms and would be revoked unless the developer took immediate action. Screenshot showing the phishing email sent to Cyberhaven extension developers. Credit: Amit Assaraf A link in the email led to a Google consent screen requesting access permission for an OAuth application named Privacy Policy Extension. A Cyberhaven developer granted the permission and, in the process, unknowingly gave the attacker the ability to upload new versions of Cyberhavens Chrome extension to the Chrome Web Store. The attacker then used the permission to push out the malicious version 24.10.4. Screenshot showing the Google permission request. Credit: Amit Assaraf As word of the attack spread in the early hours of December 25, developers and researchers discovered that other extensions were targeted, in many cases successfully, by the same spear phishing campaign. John Tuckner, founder of Security Annex, a browser extension analysis and management firm, said that as of Thursday afternoon, he knew of 19 other Chrome extensions that were similarly compromised. In all cases, the attacker used spear phishing to push a new malicious version and custom, look-alike domains to issue payloads and receive authentication credentials. Collectively, the 20 extensions had 1.46 million downloads.For many I talk to, managing browser extensions can be a lower priority item in their security program, Tuckner wrote in an email. Folks know they can present a threat, but rarely are teams taking action on them. We've often seen in security, one or two incidents can cause a reevaluation of an organization's security posture. Incidents like this often result in teams scrambling to find a way to gain visibility and understanding of impact to their organizations.The earliest compromise occurred in May 2024. Tuckner provided the following spreadsheet:NameIDVersionPatchAvailableUsersStartEndVPNCitynnpnnpemnckcfdebeekibpiijlicmpom2.0.1FALSE10,00012/12/2412/31/24Parrot Talkskkodiihpgodmdankclfibbiphjkfdenh1.16.2TRUE40,00012/25/2412/31/24Uvoiceoaikpkmjciadfpddlpjjdapglcihgdle1.0.12TRUE40,00012/26/2412/31/24Internxt VPNdpggmcodlahmljkhlmpgpdcffdaoccni1.1.11.2.0TRUE10,00012/25/2412/29/24Bookmark Favicon Changeracmfnomgphggonodopogfbmkneepfgnh4.00TRUE40,00012/25/2412/31/24Castorusmnhffkhmpnefgklngfmlndmkimimbphc4.404.41TRUE50,00012/26/2412/27/24Wayin AIcedgndijpacnfbdggppddacngjfdkaca0.0.11TRUE40,00012/19/2412/31/24Search Copilot AI Assistant for Chromebbdnohkpnbkdkmnkddobeafboooinpla1.0.1TRUE20,0007/17/2412/31/24VidHelper - Video Downloaderegmennebgadmncfjafcemlecimkepcle2.2.7TRUE20,00012/26/2412/31/24AI Assistant - ChatGPT and Gemini for Chromebibjgkidgpfbblifamdlkdlhgihmfohh0.1.3FALSE4,0005/31/2410/25/24TinaMind - The GPT-4o-powered AI Assistant!befflofjcniongenjmbkgkoljhgliihe2.13.02.14.0TRUE40,00012/15/2412/20/24Bard AI chatpkgciiiancapdlpcbppfkmeaieppikkk1.3.7FALSE100,0009/5/2410/22/24Reader Modellimhhconnjiflfimocjggfjdlmlhblm1.5.7FALSE300,00012/18/2412/19/24Primus (prev. PADO)oeiomhmbaapihbilkfkhmlajkeegnjhe3.18.03.20.0TRUE40,00012/18/2412/25/24Cyberhaven security extension V3pajkjnmeojmbapicmbpliphjmcekeaac24.10.424.10.5TRUE400,00012/24/2412/26/24GraphQL Network Inspectorndlbedplllcgconngcnfmkadhokfaaln2.22.62.22.7TRUE80,00012/29/2412/30/24GPT 4 Summary with OpenAIepdjhgbipjpbbhoccdeipghoihibnfja1.4FALSE10,0005/31/249/29/24Vidnoz Flex - Video recorder & Video sharecplhlgabfijoiabgkigdafklbhhdkahj1.0.161FALSE6,00012/25/2412/29/24YesCaptcha assistantjiofmdifioeejeilfkpegipdjiopiekl1.1.61TRUE200,00012/29/2412/31/24Proxy SwitchyOmega (V3)hihblcmlaaademjlakdpicchbjnnnkbo3.0.2TRUE10,00012/30/2412/31/24But wait, theres moreOne of the compromised extensions is one called Reader Mode. Further analysis showed it had been compromised not just in the campaign targeting the other 19 extensions but in a separate campaign that started no later than April 2023. Tuckner said the source of the compromise appears to be a code library developers can use to monetize their extensions. The code library collects details about each web visit a browser makes. In exchange for incorporating the library into the extensions, developers receive a commission from the library creator.Tuckner said that Reader Mode is one of 13 Chrome extensions known to have used the library to collect potentially sensitive data. Collectively, these extensions had 1.14 million installations. The full list is:NameIDVersionPatchAvailableUsersStartEndReader Modellimhhconnjiflfimocjggfjdlmlhblm1.5.7FALSE300,00012/18/2412/19/24Tackker - online keylogger toolekpkdmohpdnebfedjjfklhpefgpgaaji1.31.4TRUE10,00010/6/238/13/24AI Shop Buddyepikoohpebngmakjinphfiagogjcnddm2.7.3TRUE4,0004/30/24Sort by Oldestmiglaibdlgminlepgeifekifakochlka1.4.5TRUE2,0001/11/24Rewards Search Automatoreanofdhdfbcalhflpbdipkjjkoimeeod1.4.9TRUE100,0005/4/24Earny - Up to 20% Cash Backogbhbgkiojdollpjbhbamafmedkeockb1.8.1TRUE100,004/5/23ChatGPT Assistant - Smart Searchbgejafhieobnfpjlpcjjggoboebonfcg1.1.1TRUE1892/12/24Keyboard History Recorderigbodamhgjohafcenbcljfegbipdfjpk2.3TRUE5,0007/29/24Email Huntermbindhfolmpijhodmgkloeeppmkhpmhc1.44TRUE100,0009/17/24Visual Effects for Google Meethodiladlefdpcbemnbbcpclbmknkiaem3.1.33.2.4TRUE900,0006/13/231/10/24ChatGPT Applbneaaedflankmgmfbmaplggbmjjmbae1.3.8TRUE7,0009/3/24Web Mirroreaijffijbobmnonfhilihbejadplhddo2.4TRUE4,00010/13/23Hi AIhmiaoahjllhfgebflooeeefeiafpkfde1.0.0TRUE2297/29/24As Tuckner indicated, browser extensions have long remained a weak link in the security chain. In 2019, for example, extensions for both Chrome and Firefox were caught stealing sensitive data from 4 million devices. Many of the infected devices ran inside the networks of dozens of companies, including Tesla, Blue Origin, FireEye, Symantec, TMobile, and Reddit. In many cases, curbing the threat of malicious extensions is easy since so many extensions provide no useful benefit.In the case of other abused extensions, such as the one used by Cyberhaven customers, it's not as easy to address the threat. After all, the extension provides a service that many organizations find valuable. Tuckner said one potential part of the solution is for organizations to compile a browser asset management list that allows only selected extensions to run and blocks all others. Even then, Cyberhaven customers would have installed the malicious extension version unless the asset management list specifies a specific version to trust and to distrust all others.Anyone who ran one of these compromised extensions should carefully consider changing passwords and other authentication credentials. The Secure Annex post provides additional indicators of compromise, as do posts here, here, here, and here.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 1 Comments