Warning: Millions of Chrome Browser Users Are at Risk - What Happened?
Cybersecurity organization Sekoia is warning Chrome users about a supply chain attack targeting browser extension developers that may have already affected hundreds of thousands of people.
January 24, 2025 10:19
Similar attacks took place two years ago
Dozens of Chrome extension developers were targeted in a large-scale phishing campaign that sought to steal API keys, session cookies, and other authentication tokens from sites like ChatGPT and Facebook for Business.
Cybersecurity firm Sekoia analyzed the infrastructure of this campaign and traced its connection to similar attacks that took place as far back as 2023.
The campaign’s most recent activity was recorded on December 30, 2024.
One of the victims was California-based Cyberhaven, which develops a cloud-based data protection tool.
At the time of the attack, on December 26, 2024, during the holiday season, the company did not notice the compromise that was later widely reported.
Incident part of a broader campaign
Booz Allen Hamilton confirmed that the Cyberhaven incident was part of a broader campaign.
The report provides a long list of potentially affected extensions, and the number of users affected could be in the millions. Sekoia provided a shorter but overlapping list.
Some of the potentially affected extensions have already been removed from Chrome, while others have been updated since the Cyberhaven incident, but few have publicly acknowledged the breach.
Ryzal Yusoff, the creator of the Reader Mode extension, reported a cyberattack on December 5, 2024, that uploaded malicious versions to the Chrome store.
The attack was discovered on December 20, when Google issued warnings. The malicious versions could collect user data or perform other malicious actions.
Jaime Blasco, CTO at Nudge Security, also identified the potentially affected extensions, which largely matched the list in the Booz report.
How did the attackers target Chrome developers?
According to Yusoff and Sekoia, the attackers targeted Chrome developers by sending fraudulent emails that mimicked the official developer support service.
The emails warned of alleged extension policy violations and redirected to a legitimate Google page, where developers unsuspectingly approved access to a malicious OAuth application.
The attackers used this access to upload compromised versions of the extensions.
The emails may have been harvested from public Chrome Store information, and the latest attacks were a continuation of campaigns launched in 2023 that used the same technologies and loggers, researchers said.