Confirmed Incidents of Google Chrome 2FA Bypass Attacks: Millions of Users Potentially Exposed
Update, Dec. 30, 2024: This article, originally published on Dec. 29, now includes information on how 2FA session cookie compromises in Google Chrome browser extensions can be bypassed, along with advice from security experts on preventing the Chrome malicious extension attacks.
It has been made clear through a series of Google Chrome browser extension hacks in the last couple of weeks that hackers do not take breaks, even during the holiday season. Here's everything you need to know about the ongoing Google Chrome two-factor authentication bypass attacks.
The Most Recent Google Chrome Browser Extension Hacks Explained
As reported by Reuters on Dec. 27, "hackers have compromised multiple companies' Chrome browser extensions through a series of intrusions". While hackers using Chrome extensions as an attack methodology is not a new phenomenon, this recent campaign seems to indicate just how determined attackers are in stealing session cookies and bypassing your two-factor authentication protections.
While this incident appears to be part of a larger campaign, the total number of users at risk is likely in the millions. The attack on security company Cyberhaven is particularly noteworthy due to the potential dangers of such attacks and the company's quick response.
"Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven's Chrome extension," said Howard Ting, CEO of the data attack detection and incident response company, in a security alert posting on Dec. 26, "We want to share the full details of the incident and steps we’re taking to protect our customers and mitigate any damage."
The Cyberhaven Chrome Extension Attack
The attack against Cyberhaven customers began on Dec. 24, when a phishing threat successfully managed to compromise an employee's account. The attacker then gained access to the Google Chrome Web Store using the employee's credentials and published a malicious version of the Chrome extension. The malicious extension was not discovered until late on Dec. 25 and was removed within 60 minutes.
A preliminary investigation into the attack revealed that the initial attack vector was through a phishing email sent to the registered support email for Cyberhaven's Chrome extension, targeting the developers. Cyberhaven has shared this email to warn others of what such an initial attack might look like.
When the victim clicked on the link, they were redirected to the Google authorization flow for "adding a malicious OAUTH Google application called Privacy Policy Extension," Cyberhaven said. This was hosted on Google.com and was part of the standard process for granting access to third-party Google applications.
The employee had Google Advanced Protection enabled and had multi-factor authentication (MFA) covering their account, but no multi-factor authentication prompt was received and the employee's Google credentials were not compromised in the attack. A malicious extension based on a clean prior version of the official Cyberhaven Chrome extension was then uploaded to the Chrome Store.
Chrome Extension Attack—A Two-Factor Authentication Bypass Explained
Although two-factor authentication remains a crucial layer in your credential verification security protections, it is not invulnerable to attack. People often assume that only methods like 2FA through SMS text messages are vulnerable to interception, but using a code-generating authentication app is a much stronger method of using 2FA for most people. However, attackers can still bypass this authentication layer. They do not precisely bypass it, but instead clone it.
An attacker will redirect the victim to a genuine-looking login page where credentials are entered. When it comes to the 2FA code entry part, attackers can use an attacker-in-the-middle technique to capture and store the session cookie that is created when a correct code is entered. This cookie flags the user session as appropriately authorized, allowing the attacker to re-run that session at their leisure and still be seen as the authenticated user.
Chrome Extension Two-Factor Authentication Bypass Attack—Impact and Scope
According to Cyberhaven, the impact and scope of the Chrome extension attack are as follows:
Only the version of the Chrome extension affected was 24.10.4, with the malicious code being active between Christmas Day and Boxing Day. Only customers using Chrome-based browsers that auto-updated during the period of the attack were affected.
For those browsers that were running the compromised extension, Cyberhaven has confirmed that it "could have exfiltrated cookies and authenticated sessions for certain targeted websites." The initial investigation suggests that the targeted logins were social media advertising and AI platforms.
"Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised," Ting said.
How to Prevent Two-Factor Authentication Bypass Attacks and Respond to the Cyberhaven Chrome Extension Incident
With the Federal Bureau of Investigation warning people on Oct. 30 about session cookie theft by cybercriminals in order to bypass 2FA account protections, it is increasingly important to be aware of these attacks and take steps to mitigate their impact.
According to Google, "there are numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks."
Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication. If you're using Google Chrome, you can enable two-factor authentication by following these steps:
- Go to "myaccount.google.com" and sign in.
- Click on "Security" in the Personal info and privacy section.
- Under "Signing in to Google," you'll see "2-Step Verification." Click "Get started."
- Follow the instructions on the screen to complete setting up two-step verification.
- You can also add a security key to further enhance your authentication security.
If you're a Cyberhaven customer and have concerns about the attack, you can contact the company's support team for more information.
Vivek Ramachandran, the guy behind SquareX, brought up an issue. He mentioned that workers frequently tap into single sign-on and authorization interfaces, potentially authorizing unknown third-party apps to access their permissions. On the server side, this issue could be tackled by limiting apps from requesting questionable OAuth scopes unless they are authorized. Although establishing a whitelist isn't always feasible and may hamper productivity, a browser-based Detection-Response tool can perform the task.
In relation to this specific cyber attack, those affected were made aware by Cyberhaven. This included individuals unaffected for the sake of full transparency. The shady Chrome extension was purged from the Chrome Web Store, and a secure version, vaunting the version number 24.10.5, was installed automatically. As for customers employing version 24.10.4 of the Chrome extension during the affected timespan, Ting suggested checking if the extension has been updated to version 24.10.5 or any later version. I've made contact with Google for a comment on this matter.
- Despite Google Chrome implementing two-factor authentication (2FA), recent extension hacks have shown that attackers can still bypass it using a malicious Chrome extension, as demonstrated in the Cyberhaven attack.
- To prevent Chrome malicious extension attacks, security experts advise users to enable passkeys in Google Chrome, which provide stronger protection against phishing and social engineering attacks compared to SMS or app-based 2FA.
- Google Chrome 2FA bypass attacks, like the one against Cyberhaven, can be carried out by redirecting the victim to a genuine login page, capturing the 2FA code session cookie, and then reusing it to access the user's session as an authorized user.
- To safeguard against Chrome extension two-factor authentication bypass attacks, companies can limit the OAuth scopes that apps can request unless they are authorized, creating a whitelist or utilizing a browser-based Detection-Response tool.
- Following the Cyberhaven Chrome extension incident, Google removed the malicious extension from its Web Store and advised affected users to update to the latest version of the extension to ensure their security.
