Confirmation of Google Chrome 2-Factor Authentication Bypass Assault: Crucial Information to Consider
Unrelenting cybercriminals don't take vacations, as illustrated by a string of Google Chrome browser extension breaches dating back to mid-December and extending through the holiday season. These attacks underscore the ongoing threat of two-factor authentication bypasss in Google Chrome.
Unveiling the Recent Google Chrome Extension Security Threats
On December 27, Reuters reported a series of intrusions targeting various companies' Chrome browser extensions. While using Chrome extensions as an attack vector isn't a novice tactic, the scale and persistence of this latest campaign reveal troublemakers' relentless pursuit of session cookies and bypassing two-factor authentication protection.
One instance worthy of scrutiny is the attack on security company Cyberhaven, which highlights the potential hazards of such assaults and the importance of rapid response.
"Our team has identified a malicious cyberattack on Cyberhaven that occurred on Christmas Eve, affecting our Chrome extension," Howard Ting, CEO of the data breach detection and response firm, announced in a security alert. "We wish to share the incident details and steps we are implementing to safeguard our customers and minimize damage."
The Cyberhaven Chrome Extension Assault
The Cyberhaven client attacks began on December 24. Successful phishing tricked an employee, including a credentials compromise, allowing the attacker access to the Google Chrome Web Store. Using these credentials, the attacker uploaded a malicious version of the Cyberhaven Chrome extension. The malicious version was discovered and removed by December 26.
A preliminary analysis of the attack revealed that the initial infiltration was initiated by a phishing email sent to Cyberhaven's Chrome extension support email, targeting developers. Cyberhaven has published the email as a warning to others.
Upon clicking the phishing link, the victim entered the Google authorization flow for "adding a malicious OAUTH Google application called Privacy Policy Extension." This application was hosted on Google.com and was a routine part of granting access to third-party Google applications — inadvertently authorizing a malicious application. The employee had Google Advanced Protection enabled and had multi-factor authentication (MFA) protection, but no MFA prompt was received, and the employee's Google credentials remained unaffected. A malicious Chrome extension (version 24.10.4) based on a clean, prior version of the official Cyberhaven Chrome extension was then uploaded to the Chrome Store.
Bypassing Chrome Extension 2FA—Impact, Scope, and Response
As reported by Ting, the extent and impact of the Cyberhaven Chrome extension attacks are as follows:
Only extension version 24.10.4 was compromised, with the malicious code active between December 25 and December 26. Customers utilizing cloud-based browsers that automatically updated during the assault period were the only ones affected.
For affected browsers, Cyberhaven confirmed that this malicious extension might have exfiltrated cookies and authenticated sessions for specific targeted websites, primarily social media advertising and AI platforms.
"Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD procedures and code signing keys, were compromised," Ting stated.
Customers were notified by Cyberhaven and uninvolved clients in the interest of full disclosure. The malicious Chrome extension was removed from the Chrome Web Store, and a new secure version (version 24.10.5) was deployed automatically. According to Ting, "We recommend that customers running version 24.10.4 of our Chrome extension during the affected period verify that their extension has been updated to version 24.10.5 or more recent." I have reached out to Google for commentary.
- The attack on Cyberhaven's Chrome extension highlighted the potential risks of 2FA bypass via Google Chrome, underscoring the need for increased security measures.
- The malicious Chrome extension attack on Cyberhaven involved a phishing email sent to the company's Chrome extension support email, tricking an employee and allowing access to Google Chrome Web Store credentials.
- The attackers then used these credentials to upload a malicious version of the Cyberhaven Chrome extension, bypassing the employee's Google Advanced Protection and multi-factor authentication (MFA) protection.
- The malicious Chrome extension, version 2fa attack on Google Chrome, could have exfiltrated cookies and authenticated sessions for specific targeted websites, primarily social media advertising and AI platforms.
- Google Chrome security is crucial in the face of ongoing 2fa attack threats, and it's essential for users and developers to stay vigilant against Chrome extension attacks, potential phishing attempts, and two-factor authentication bypass attempts.
