A series of sophisticated attacks targeting Google Chrome browser extensions has put millions of users at risk by compromising authentication protections, including two-factor authentication (2FA).
The ongoing attacks, which began in mid-December 2023, have affected multiple companies' Chrome extensions. One notable case involves security company Cyberhaven, whose extension with over 400,000 corporate customers was compromised on Christmas Eve.
How the Attack Works
The attackers use a sophisticated phishing technique that redirects victims to legitimate-looking login pages. When users enter their credentials and 2FA codes, the attackers capture and store the authentication session cookies. These stolen cookies allow hackers to bypass 2FA protections by reusing authenticated sessions.
The Cyberhaven Incident
On December 24, attackers successfully phished a Cyberhaven employee, gaining access to the Google Chrome Web Store. They then published a malicious version (24.10.4) of the company's Chrome extension. The compromise was discovered on December 25 and removed within an hour.
The attack specifically targeted:
- Chrome-based browsers with auto-update enabled
- Users active during the December 25-26 timeframe
- Social media advertising and AI platform logins
Protection Measures
Google recommends several security measures:
- Using passkeys instead of traditional 2FA methods
- Implementing security keys for stronger protection
- Running regular Chrome Safety Checks
- Enabling enhanced Safe Browsing protection
- Reviewing installed extensions periodically
Google's Extension Security
The Chrome security team employs multiple layers of protection:
- AI-powered automated reviews
- Human verification of all extensions
- Continuous monitoring after publication
- Collaboration with external security researchers
Despite these safeguards, Google acknowledges that some malicious extensions can still slip through. The company reports that less than 1% of Chrome Web Store installations contained malware in 2024.
Users can check their extension security status by typing "chrome://extensions" in their browser address bar and running safety checks to identify potential risks.