A widespread cyberattack targeting Google Chrome browser extensions has put millions of users at risk, with security company Cyberhaven among the prominent victims. The incident, which unfolded during the 2023 holiday season, has raised serious concerns about two-factor authentication (2FA) security.
The attack on Cyberhaven began on Christmas Eve when threat actors successfully phished an employee, gaining access to the Google Chrome Web Store. The attackers then published a malicious version (24.10.4) of Cyberhaven's Chrome extension, potentially affecting around 400,000 corporate customers.
Howard Ting, Cyberhaven's CEO, confirmed that the compromised extension could extract cookies and authenticated sessions for specific targeted websites, particularly focusing on social media advertising and AI platforms. The malicious code remained active between December 25-26 before being detected and removed within 60 minutes.
The attack methodology involved sophisticated social engineering techniques. Despite having Google Advanced Protection and multi-factor authentication enabled, the targeted employee inadvertently authorized a malicious application through Google's standard authorization flow process.
This incident highlights a concerning vulnerability in 2FA systems. Rather than directly bypassing authentication, attackers can capture and clone session cookies generated after successful 2FA verification, allowing them unauthorized access to user accounts.
In response to the breach, Cyberhaven has:
- Removed the compromised extension from the Chrome Web Store
- Deployed a secure version (24.10.5)
- Notified affected customers
- Launched a comprehensive investigation
Security experts recommend implementing stronger authentication methods, such as passkeys, which offer enhanced protection against phishing and social engineering attacks. Organizations are advised to review their third-party app authorization policies and implement stricter controls on OAuth permissions.
Users who may have been running version 24.10.4 of the Cyberhaven Chrome extension during the affected period should immediately verify their extension has updated to version 24.10.5 or newer.
This incident serves as a stark reminder of the evolving nature of cyber threats and the need for constant vigilance, even with established security measures in place.