A targeted cyberattack has compromised the Chrome extension of Cyberhaven, a data-loss prevention startup, exposing user credentials and session tokens to potential misuse.
The breach, which affected version 24.10.4 of the extension, was detected on December 25 and has raised alarms about the security of browser extensions and their role in enterprise systems.
Breach Details and User Risks
Hackers infiltrated Cyberhaven’s systems by compromising an administrator account, enabling them to publish the malicious update. Users who downloaded the affected version faced risks including:
- Data Exfiltration: Attackers could access session tokens, authenticated cookies, and other sensitive data.
- Security Bypass: With session tokens, attackers could potentially circumvent two-factor authentication and gain unauthorized access to user accounts.
In an email to customers, Cyberhaven outlined these risks and provided mitigation steps, emphasizing the need for immediate action to protect sensitive information.
Cyberhaven’s Swift Response
Cyberhaven’s security team identified and removed the malicious extension from the Chrome Web Store within hours. A clean version, 24.10.5, was released promptly to replace the compromised update.
The company has enlisted the expertise of Mandiant, a leading incident response firm, and is cooperating with federal law enforcement agencies to investigate the breach.
Cyberhaven has committed to revising its security practices to prevent similar incidents in the future.
Recommended Actions for Affected Users
To mitigate potential fallout, Cyberhaven has urged users to:
- Change Credentials: Revoke and rotate passwords, API tokens, and other text-based credentials.
- Monitor Logs: Examine browser and system logs for unusual activity.
- Secure Stored Data: Reassess and update credentials saved in the browser for other accounts.
Wider Implications of the Attack
This breach is not an isolated incident but part of a broader campaign targeting multiple Chrome extensions. Other compromised tools include:
- Internxt VPN: Over 10,000 users affected.
- VPNCity: A privacy-focused VPN with 50,000 users.
- Uvoice: A survey-based rewards service with 40,000 users.
- ParrotTalks: A productivity tool used by 40,000 users.
In each case, attackers injected malicious code to steal sensitive user data and execute remote commands.
Insights from Security Experts
Security researcher Jaime Blasco from Nudge Security noted that these attacks appear opportunistic, targeting developer accounts rather than specific companies.
The attackers leveraged stolen credentials to publish malicious updates across various extensions, exploiting weak points in the Chrome extension ecosystem.
Blasco’s analysis revealed that the malicious code enabled data collection across diverse extension categories, including AI tools, VPNs, and productivity apps.
Supply Chain Attack Raises Security Concerns
The incident highlights systemic vulnerabilities in browser extension security. With extensions often granted deep access to browser data, their compromise can lead to widespread data breaches.
Cyberhaven’s use of a single admin account for the Chrome Web Store, as revealed in its communication, underscores the need for stricter security measures.
Broader Industry Impact
The attack emphasizes the importance of robust security protocols for both developers and businesses:
- Developers: Must implement stronger authentication, such as multi-factor protocols, and monitor accounts for suspicious activity.
- Businesses: Should regularly audit third-party tools and enforce policies to limit browser extension permissions.
Federal Involvement
Cyberhaven is actively working with U.S. federal law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA) to determine the extent of the attack. While the campaign’s geographical reach remains unclear, its implications are global.
This incident serves as a wake-up call for the tech industry to address supply-chain vulnerabilities in browser extensions.
Strengthening account security, conducting regular audits, and fostering awareness among users and businesses are essential steps to prevent future breaches.
As investigations continue, the spotlight is on how companies and developers can bolster defences to safeguard digital ecosystems against sophisticated cyber threats.
