{"id":1375,"date":"2025-01-02T05:43:11","date_gmt":"2025-01-02T05:43:11","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1375"},"modified":"2025-01-02T05:43:11","modified_gmt":"2025-01-02T05:43:11","slug":"squarex-researchers-expose-oauth-attack-on-chrome-extensions-days-before-major-breach","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1375","title":{"rendered":"SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

SquareX<\/a>, an industry-first Browser Detection and Response (BDR) solution, leads the way in browser security. About a week ago, SquareX\u00a0reported<\/a> large-scale attacks targeting Chrome Extension developers aimed at taking over the Chrome Extension from the Chrome Store.<\/p>\n

On December 25th, 2024, a malicious version of Cyberhaven\u2019s browser extension was published on the Chrome Store that allowed the attacker to hijack authenticated sessions and exfiltrate confidential information. The malicious extension<\/a> was available for download for more than 30 hours before being removed by Cyberhaven. The data loss prevention company declined to comment on the extent of the impact when approached by the press, but the extension had over 400,000 users on the Chrome Store<\/a> at the time of the attack.<\/p>\n

Unfortunately, the attack took place as SquareX\u2019s researchers had identified<\/a> a similar attack with a video<\/a> demonstrating the entire attack pathway just a week before the Cyberhaven breach. The attack begins with a phishing email impersonating Chrome Store containing a supposed violation of the platform\u2019s \u201cDeveloper Agreement\u201d, urging the receiver to accept the policies to prevent their extension from being removed from Chrome Store. Upon clicking on the policy button, the user gets prompted to connect their Google account to a \u201cPrivacy Policy Extension\u201d, which grants the attacker access to edit, update and publish extensions on the developer\u2019s account.<\/p>\n

\n

Fig 1. Phishing email targeting extension developers<\/p>\n

Cyber NewsWire <\/p>\n<\/div>\n

\n

Fig 2. Fake Privacy Policy Extension requesting access to \u201cedit, update or publish\u201d the developer\u2019s extension<\/p>\n

<\/p>\n

Cyber NewsWire<\/p>\n<\/div>\n

Extensions have become an increasingly popular way for attackers to gain initial access. This is because most organizations have limited purview on what browser extensions their employees are using. Even the most rigorous security teams typically do not monitor subsequent updates once an extension is whitelisted.<\/p>\n

SquareX has conducted extensive research and demonstrated at DEFCON 32,<\/a> how MV3-compliant extensions can be used to steal video stream feeds, add a silent GitHub collaborator, and steal session cookies, among others. Attackers can create a seemingly harmless extension and later convert it into a malicious one post-installation or, as demonstrated in the attack above, deceive the developers behind a trusted extension to gain access to one that already has hundreds of thousands of users. In Cyberhaven\u2019s case, attackers were able to steal company credentials across multiple websites and web apps through the malicious version of the extension.<\/p>\n

Given that developer emails are publicly listed on Chrome Store, it is easy for attackers to target thousands of extension developers at once. These emails are typically used for bug reporting. Thus, even support emails listed for extensions from larger companies are usually routed to developers who may not have the level of security awareness required to find suspicion in such an attack. As per SquareX\u2019s attack disclosure and the Cyberhaven breach that occurred within the span of less than two weeks, the company has strong reason to believe that many other browser extension providers are being attacked in the same way. SquareX urges companies and individuals alike to conduct a careful inspection before installing or updating any browser extensions.<\/p>\n

\n

Fig 3. Contact details of extension developers are publicly available on Chrome Store<\/p>\n

Cyber NewsWire<\/p>\n<\/div>\n

SquareX team understands that it can be non-trivial to evaluate and monitor every single browser extension in the workforce amidst all the competing security priorities, especially when it comes to zero-day attacks. As demonstrated in the video<\/a>, the fake privacy policy app involved in Cyberhaven\u2019s breach was not even detected by any popular threat feeds.<\/p>\n

SquareX\u2019s Browser Detection and Response (BDR) solution<\/a> takes this complexity off security teams by:<\/p>\n

Blocking OAuth interactions to unauthorized websites to prevent employees from accidentally giving attackers unauthorized access to your Chrome Store account<\/p>\n

Blocking and\/or flagging any suspicious extension updates containing new, risky permissions<\/p>\n

Blocking and\/or flagging any suspicious extensions with a surge of negative reviews<\/p>\n

Blocking and\/or flagging installations of sideloaded extensions<\/p>\n

Streamline all requests for extension installations outside the authorized list for quick approval based on company policy\u00a0<\/p>\n

Full visibility on all extensions installed and used by employees across the organization<\/p>\n

SquareX\u2019s founder Vivek Ramachandran<\/a> warns: \u201cIdentity attacks targeting browser extensions similar to this OAuth attack will only become more prevalent as employees rely on more browser-based tools to be productive at work. Similar variants of these attacks have been used in the past to steal cloud data from apps like Google Drive and One Drive and we will only see attackers get more creative in exploiting browser extensions. Companies need to remain vigilant and minimize their supply chain risk without hampering employee productivity by equipping them with the right browser native tools.\u201d<\/p>\n

About SquareX:<\/strong><\/p>\n

SquareX<\/a> helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real-time.<\/p>\n

SquareX\u2019s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, and other web attacks encompassing malicious files, websites, scripts, and compromised networks.<\/p>\n

With SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, and enterprise SaaS, and convert the browsers on BYOD \/ unmanaged devices into trusted browsing sessions.<\/p>\n

Contact<\/strong><\/h5>\n

Head of PR<\/strong><\/p>\n

Junice Liew<\/strong><\/p>\n

SquareX<\/strong><\/p>\n

junice@sqrx.com<\/strong><\/p>\n\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

SquareX, an industry-first Browser Detection and Response (BDR) solution, leads the way in browser security. About a week ago, SquareX\u00a0reported large-scale attacks targeting Chrome Extension developers aimed at taking over the Chrome Extension from the Chrome Store. On December 25th, 2024, a malicious version of Cyberhaven\u2019s browser extension was published on the Chrome Store that […]<\/p>\n","protected":false},"author":0,"featured_media":1376,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1375","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1375"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1375"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1375\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1376"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}