- Researchers discover large supply-chain attack targeting Chrome extension developers
- Dozens have been compromised, resulting in possibly millions of victim users
- Researchers urge users to patch or uninstall certain extensions
Hackers have managed to compromise dozens of legitimate Google Chrome extensions in what appears to be a highly sophisticated supply chain attack.
As a result, millions of browser users are at risk of data theft, identity theft, wire fraud, and more, cybersecurity researchers at Sekoia has said.
The researchers said the attack starts with a very convincing phishing attack, in which the threat actors impersonated Google Chrome Web Store support. They sent emails to Chrome extension developers, warning them about violated store policies, and having their work removed from the store unless they “extended their privacy policy”. Obviously, the email came with a link, leading to a legitimate Google OAuth authorization page, built for a malicious application
Facebook Business and other targets
Victims who would log in would actually share their login credentials with the attackers, who would use the access to poison their work and compromise the extensions.
Sekoia says that the threat actors were going after Facebook Business accounts, API keys, session cookies, access tokens, account information, and ad account details. In some cases, it was added, the crooks were going after ChatGPT API keys and user authentication data, as well.
The team traced the campaign back to at least March 2024, with the possibility of earlier activity, too.
Some of the more popular extensions that were targeted include GraphQL Network Inspector, Proxy SwitchyOmega (V3), YesCaptcha assistant, Castorus, and VidHelper – Video Download Helper. The full list of attacked extensions can be found on this link.
The number of affected individuals is measured in hundreds of thousands, or even millions, and mostly revolves around the number of downloads of these plugins. Most of the poisoned solutions have been pulled from the Chrome Web Store already. However, users are still advised to remove, or update, affected extensions, to versions released after December 26, 2024, and reset important account passwords, especially for Facebook and ChatGPT.
Via The Register