Update, Dec. 30, 2024: This story, originally published Dec. 29 now includes an explanation of how 2FA bypass session cookie compromise works along with advice from security experts about mitigating the Chrome malicious extension attack.
Hackers don’t take holidays, as has been proven by a series of compromises of Google Chrome browser extensions dating back to mid-December and continuing through the seasonal break would attest to. Here’s everything you need to know about the ongoing Google Chrome two-factor authentication bypass attacks.
The Latest Google Chrome Browser Extension Attacks Explained
As reported Dec. 27 by Reuters, “hackers have compromised several different companies’ Chrome browser extensions in a series of intrusions.” That threat actors are using Chrome extensions as an attack methodology is nothing new, but the extent of this latest campaign would appear to show how determined hackers are to steal session cookies and bypass your two-factor authentication protections.
Although just one part of what would appear to be a coordinated and wide-reaching campaign to target multiple companies and their Chrome extensions, the total number of users at risk is likely in the millions; the attack against security company Cyberhaven is worth looking at as it both explains the potential dangers of such attacks, with some 400,000 corporate customers alone, and provides an insight into how quickly responding to them is key.
“Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven’s Chrome extension,” Howard Ting, CEO of the data attack detection and incident response company, said in a security alert posting, “We want to share the full details of the incident and steps we’re taking to protect our customers and mitigate any damage.”
The Cyberhaven Chrome Extension Attack
The attack against Cyberhaven customers started Dec. 24 when a phishing threat successfully managed to compromise an employee. Importantly, this included a credentials compromise that enabled the attacker to gain access to the Google Chrome Web Store. “The attacker used these credentials to publish a malicious version of our Chrome extension,” Ting confirmed. The malicious extension wasn’t discovered until late on Dec. 25 after which it was removed within 60 minutes.
A preliminary investigation into the attack revealed that the initial access vector was by way of a phishing email sent to the registered support email for Cyberhaven’s Chrome extension, targeting the developers. Cyberhaven has made this email available so as to warn others of what such an initial attack looks like.
When the victim clicked on the link, they found themselves within the Google authorization flow for “adding a malicious OAUTH Google application called Privacy Policy Extension,” Cyberhaven said. This was hosted on Google.com and part of the standard process for granting access to third-party Google applications that, in this case, inadvertently authorized a malicious application. “The employee had Google Advanced Protection enabled and had MFA covering his account,” Cyberhaven said. No multi-factor authentication prompt was received and the employee’s Google credentials were not compromised in the attack. A malicious extension (24.10.4) based on a clean prior version of the official Cyberhaven Chrome extension was then uploaded to the Chrome Store.
Chrome Extension Attack—A 2FA Bypass Explained
Although two-factor authentication remains a vital layer in your credential verification security protections, that doesn’t mean it is invulnerable to attack. People often assume incorrectly that only the likes of 2FA by way of SMS text messages are open to interception and that using a code-generating authentication app is the silver bullet. While apps are a much stronger method of using 2FA for most people, and SMS codes are still better than no 2FA protection, attackers can still bypass this authentication layer. Actually, they don’t precisely bypass it but clone it. An attacker will, by whatever method, redirect the victim to a genuine-looking login page where credentials are entered. When it comes to the 2FA code entry part, by using an attacker-in-the-middle technique, the session cookie that is created when a correct code is entered is captured and stored for later use. This cookie does what it says on the tin, flagging that user session as appropriately authorized. Of course, if an attacker has a copy of that cookie they can then re-run that session at their leisure and still be seen as the authenticated user.
Chrome Extension 2FA Bypass Attack—Impact And Scope
According to Ting, the impact and scope of the Cyberhaven Chrome extension attacks as follows:
The only version of the Chrome extension impacted was 24.10.4, with the malicious code only being active between Christmas Day and Boxing Day. Only customers using Chrome-based browsers that auto-updated during the period of the attack would have been affected.
For those browsers that were running the compromised extension, however, Cyberhaven has confirmed that it “could have exfiltrated cookies and authenticated sessions for certain targeted websites.” The initial investigation suggests that the targeted logins were social media advertising and AI platforms.
“Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised,” Ting said.
How To Mitigate 2FA Bypass Attacks—And Respond To The Cyberhaven Chrome Extension Incident
With the Federal Bureau of Investigation warning people on Oct. 30 about session cookie theft by cybercriminals in order to bypass 2FA account protections, the time to be aware and mitigate the risk of these attacks is long overdue. There are “numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks,” a Google spokesperson said, “Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.”
One of the problems is that employees will often click through single sign-on and authorization screens, potentially granting permissions to unknown third-party apps, Vivek Ramachandran, founder of SquareX, said. “On the server side, this could be prevented by disallowing apps that request risky OAuth scopes unless they are authorized. While creating a whitelist isn’t always practical and can reduce productivity, a client-side Browser Detection-Response tool can step in.”
When it comes to this specific attack, affected customers were notified by Cyberhaven, along with those not known to be impacted in the cause of complete transparency. The malicious Chrome extension was removed from the Chrome Web Store, and a secure version, 24.10.5, was automatically deployed. “For customers running version 24.10.4 of our Chrome extension during the affected period,” Ting said, “we strongly recommend verifying your extension has updated to version 24.10.5 or newer.” I have approached Google for a statement.
