SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach
30 Diciembre 2024 - 9:00AM
SquareX, an industry-first Browser Detection and
Response (BDR) solution, leads the way in browser security. About a
week ago, SquareX reported large-scale attacks targeting
Chrome Extension developers aimed at taking over the Chrome
Extension from the Chrome Store.
On December 25th, 2024, a malicious version of
Cyberhaven’s browser extension was published on the Chrome Store
that allowed the attacker to hijack authenticated sessions and
exfiltrate confidential information. The malicious extension was
available for download for more than 30 hours before being removed
by Cyberhaven. The data loss prevention company declined to comment
on the extent of the impact when approached by the press, but the
extension had over 400,000 users on the Chrome Store at the time of
the attack.
Unfortunately, the attack took place as SquareX's
researchers had identified a similar attack with a video
demonstrating the entire attack pathway just a week before the
Cyberhaven breach. The attack begins with a phishing email
impersonating Chrome Store containing a supposed violation of the
platform’s “Developer Agreement”, urging the receiver to accept the
policies to prevent their extension from being removed from Chrome
Store. Upon clicking on the policy button, the user gets prompted
to connect their Google account to a “Privacy Policy Extension”,
which grants the attacker access to edit, update and publish
extensions on the developer’s account.
Fake Privacy Policy Extension requesting access to
“edit, update or publish” the developer’s extension
Extensions have become an increasingly popular way
for attackers to gain initial access. This is because most
organizations have limited purview on what browser extensions their
employees are using. Even the most rigorous security teams
typically do not monitor subsequent updates once an extension is
whitelisted.
SquareX has conducted extensive research and
demonstrated at DEFCON 32, how MV3-compliant extensions can be used
to steal video stream feeds, add a silent GitHub collaborator, and
steal session cookies, among others. Attackers can create a
seemingly harmless extension and later convert it into a malicious
one post-installation or, as demonstrated in the attack above,
deceive the developers behind a trusted extension to gain access to
one that already has hundreds of thousands of users. In
Cyberhaven’s case, attackers were able to steal company credentials
across multiple websites and web apps through the malicious version
of the extension.
Given that developer emails are publicly listed on
Chrome Store, it is easy for attackers to target thousands of
extension developers at once. These emails are typically used for
bug reporting. Thus, even support emails listed for extensions from
larger companies are usually routed to developers who may not have
the level of security awareness required to find suspicion in such
an attack. As per SquareX’s attack disclosure and the Cyberhaven
breach that occurred within the span of less than two weeks, the
company has strong reason to believe that many other browser
extension providers are being attacked in the same way. SquareX
urges companies and individuals alike to conduct a careful
inspection before installing or updating any browser
extensions.
SquareX team understands that it can be non-trivial
to evaluate and monitor every single browser extension in the
workforce amidst all the competing security priorities, especially
when it comes to zero-day attacks. As demonstrated in the video,
the fake privacy policy app involved in Cyberhaven’s breach was not
even detected by any popular threat feeds.
SquareX’s Browser Detection and Response (BDR)
solution takes this complexity off security teams by:
- Blocking OAuth interactions to
unauthorized websites to prevent employees from accidentally giving
attackers unauthorized access to your Chrome Store account
- Blocking and/or flagging any
suspicious extension updates containing new, risky permissions
- Blocking and/or flagging any
suspicious extensions with a surge of negative reviews
- Blocking and/or flagging
installations of sideloaded extensions
- Streamline all requests for
extension installations outside the authorized list for quick
approval based on company policy
- Full visibility on all extensions
installed and used by employees across the organization
SquareX’s founder Vivek Ramachandran warns:
“Identity attacks targeting browser extensions similar to this
OAuth attack will only become more prevalent as employees rely on
more browser-based tools to be productive at work. Similar variants
of these attacks have been used in the past to steal cloud data
from apps like Google Drive and One Drive and we will only see
attackers get more creative in exploiting browser extensions.
Companies need to remain vigilant and minimize their supply chain
risk without hampering employee productivity by equipping them with
the right browser native tools.”
About SquareX:
SquareX helps organizations detect, mitigate, and
threat-hunt client-side web attacks happening against their users
in real-time.
SquareX's industry-first Browser Detection and
Response (BDR) solution, takes an attack-focused approach to
browser security, ensuring enterprise users are protected against
advanced threats like malicious QR Codes, Browser-in-the-Browser
phishing, macro-based malware, and other web attacks encompassing
malicious files, websites, scripts, and compromised networks.
With SquareX, enterprises can provide contractors
and remote workers with secure access to internal applications, and
enterprise SaaS, and convert the browsers on BYOD / unmanaged
devices into trusted browsing sessions.
Contact
Head of PR
Junice Liew
SquareX
junice@sqrx.com
Photos accompanying this announcement are available at
https://www.globenewswire.com/NewsRoom/AttachmentNg/8c70ea64-f0ca-4fc4-9039-6f5b15a0adf2
https://www.globenewswire.com/NewsRoom/AttachmentNg/19691fe3-f330-4faf-ad88-7d0cb8a6359c