The Good Tech Companies - SquareX Researchers Expose OAuth Attack On Chrome Extensions Days Before Major Breach
Episode Date: December 30, 2024This story was originally published on HackerNoon at: https://hackernoon.com/squarex-researchers-expose-oauth-attack-on-chrome-extensions-days-before-major-breach. The d...ata loss prevention company declined to comment on the extent of the impact when approached by the press, but the extension had over 400,000 users on the C Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #cybersecurity, #squarex, #cybernewswire, #press-release, #squarex-announcement, #cyber-threats, #cyber-attack, #good-company, and more. This story was written by: @cybernewswire. Learn more about this writer by checking @cybernewswire's about page, and for more stories, please visit hackernoon.com. A malicious version of Cyberhaven’s browser extension was published on the Chrome Store that allowed the attacker to hijack authenticated sessions and exfiltrate confidential information. The extension was available for download for more than 30 hours before being removed by Cyberhaven.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Square X researchers expose OAuth attack on Chrome extensions days before major breach,
by Cyber Newswire. Palo Alto, California, USA, December 30, 2024, Cyber Newswire, Square X,
an industry-first browser detection and response, BDR, solution, leads the way in browser security.
About a week ago, SquareX reported large-scale attacks targeting Chrome extension developers
aimed at taking over the Chrome extension from the Chrome store. On December 25, 2024,
a malicious version of Cyberhaven's browser extension was published on the Chrome store
that allowed the attacker to hijack authenticated sessions and exfiltrate confidential information. The malicious extension was available for
download for more than 30 hours before being removed by Cyberhaven. The data loss prevention
company declined to comment on the extent of the impact when approached by the press,
but the extension had over 400,000 users on the Chrome store at the time of the attack.
Unfortunately, the attack took place
as Squarex's researchers had identified a similar attack with a video demonstrating the entire attack
pathway just a week before the Cyberhaven breach. The attack begins with a phishing email impersonating
Chrome store containing a supposed violation of the platform's developer agreement, urging the
receiver to accept the policies to prevent their extension from being removed from Chrome store. Upon clicking on the policy button, the user gets
prompted to connect their Google account to a privacy policy extension, which grants the attacker
access to edit, update and publish extensions on the developer's account. FIG 1, phishing email
targeting extension developers. FIG2. Fake privacy policy extension requesting
access to, edit, update or publish, the developer's extension extensions have become an increasingly
popular way for attackers to gain initial access. This is because most organizations have limited
purview on what browser extensions their employees are using. Even the most rigorous security teams
typically do not monitor subsequent updates once an extension
is whitelisted. SquareX has conducted extensive research and demonstrated at Defcon 32 how MV3
compliant extensions can be used to steal video stream feeds, add a silent GitHub collaborator,
and steal session cookies, among others. Attackers can create a seemingly harmless
extension and later convert it into Amalicious One one-post installation or, as demonstrated in the attack above, deceiveth developers behind
a trusted extension to gain access to one that already has hundreds of thousands of users.
In Cyberhaven's case, attackers were able to steal company credentials across multiple
websites and web apps through the malicious version of the extension.
Given that developer emails are publicly listed on Chrome Store,
it is easy for attackers to target thousands of extension developers at once.
These emails are typically used for bug reporting. Thus, even support emails listed
for extensions from larger companies are usually routed to developers who may not
have the level of security awareness required to find suspicion in such an attack.
As per Squarex's attack disclosure and the Cyberhaven breach that occurred within the
span of less than two weeks, the company has strong reason to believe that many other browser
extension providers are being attacked in the same way. Squarex urges companies and individuals
alike to conduct a careful inspection before installing or updating any browser extensions.
Fig 3. Contact details of extension developers are publicly available on Chrome Store Squarex
team understands that it can be non-trivial to evaluate and monitor every single browser
extension in the workforce amidst all the competing security priorities, especially
when it comes to zero-day attacks. As demonstrated in the video, the fake privacy policy app involved in Cyberhaven's breach was
not even detected by any popular threat feeds. Squarex's browser detection and response
BDR solution takes this complexity off security teams by blocking OAuth interactions to
unauthorized websites to prevent employees from accidentally giving attackers unauthorized access
to your Chrome store account. Blocking and or flagging
any suspicious extension updates containing new, risky permissions. Blocking and or flagging any
suspicious extensions with a surge of negative reviews. Blocking and or flagging installations
of sideloaded extensions. Streamline all requests for extension installations outside the authorized
list for quick approval based on company policy.
Full visibility on all extensions installed and used by employees across the organization.
Greater than Squarex's founder Vivek Ramachandran warns. Identity attacks targeting greater than browser extensions similar to this OAuth attack will only become more greater than prevalent as
employees rely on more browser-based tools to be productive at greater than work. Similar variants of these attacks have been used in the past to steal greater than cloud
data from apps like Google Drive and OneDrive and we will only see greater than attackers get more
creative in exploiting browser extensions. Companies need greater than to remain vigilant
and minimize their supply chain risk without hampering greater than employee productivity
by equipping them with the right browser-native tools. About SQUAREX. SQUAREX helps organizations detect, mitigate, and threat-hunt
client-side web attacks happening against their users in real-time. SQUAREX's industry-first
browser detection and response, BDR, solution, takes an attack-focused approach to browser
security, ensuring enterprise users are
protected against advanced threats like malicious QR codes, browser-in-the-browser phishing,
macro-based malware, and other web attacks encompassing malicious files, websites,
scripts, and compromised networks. With SquareX, enterprises can provide contractors and remote
workers with secure access to internal applications and enterprise SaaS, and convert the browser-sin BYOD unmanaged devices into trusted browsing
sessions. Contact head of PR Junus Liu Squarex Junus at sqrx.com.
Tip This story was distributed as a release by CyberNewsWire under HackerNoons business
blogging program. Learn more about the program here.
Thank you for listening to this HackerNoon story, read by Artificial Intelligence.
Visit HackerNoon.com to read, write, learn and publish.