Millions Face Critical Alert in Google Chrome Due to Hacker Assaults
Towards the end of December, I discussed a persistent attempt to dodge two-factor authentication defenses and single out Google Chrome users. This dangerous attempt was authenticated when a cybersecurity company verified that their browser extension was laced with malicious code. It seems that at least 35 businesses had their Chrome extensions substituted with malware variants. Here's what you need to know about the 2FA bypass breach attacks, as new details have surfaced.
The Chronology of the Google Chrome 2FA Bypass Attack
Cybercriminals never take a break: this ought to be a motto for all users and guardians when it comes to cybersecurity safety. A series of breaches involving Google Chrome web browser extensions began in mid-December and persisted throughout the festive period. However, according to a recent report from Bleeping Computer, the hackers behind the attacks had been testing their strategy and the technology employed since March 2024, with the domains used for the attack registered in November and early December. "Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, impacting Cyberhaven's Chrome extension," Howard Ting, CEO of the data breach detection and crisis management company, stated in a security alert posting, "We aim to share the complete details of the incident and the actions we're taking to protect our customers and mitigate any damage."
The Cyberhaven breach commenced when an employee was successfully phished, granting the hackers the credentials required to gain developer access to the Google Chrome Web Store. This enabled them to release a malicious version of the Chrome extension used by Cyberhaven, containing code for exfiltrating session cookies and bypassing 2FA protections for anybody who fell victim. The attack started on Dec. 24 and was discovered late on Dec. 25 when the extension was removed within 60 minutes.
Unveiled Information About the Methods Used in the Google Chrome 2FA Bypass Attacks
As outlined by the Bleeping Computer team, the 2FA bypass Chrome hack attack appears to have impacted at least 35 browser extensions, potentially affecting 2.6 million users. The hack attack seems to have intensified against targeted extension developers on Dec. 5, allegedly employing what developers describe as an advanced phishing email. Apparent emails purportedly originating from possible Chrome Web Store domains (all of which were counterfeit) and chronicling a Chrome extension policy violation. OK, so maybe not that sophisticated after all: bogus domains that wouldn't stand up to close scrutiny, paired with a sense of urgency. The urgency being that the extension would be removed if the policy violation wasn't rectified.
"We do not allow extensions with misleading, poorly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata, including but not limited to the extension description, developer name, title, icon, screenshots, and promotional images,” the email seen by Bleeping Computer read. Of course, the victim would then be directed to a policy verification landing page, which actually harvested credentials needed to grant access to Google resources for third-party app developers. "The employee followed the standard procedure and inadvertently authorized this malicious third-party application," Cyberhaven said in a preliminary incident report.
An examination of the indicators of compromise for these attacks, Bill Toulas, a Bleeping Computer reporter, mentioned, "revealed that the attackers were after the Facebook accounts of users of the tampered extensions." It appears that a mouse click event listener was specifically looking for QR code images associated with Facebook's 2FA mechanisms.
I have reached out to Google and Facebook for a statement.
- To enhance your safety measures, consider disabling 2FA bypass on Google Chrome if you suspect any unauthorized activity.
- Concerns over 2FA bypass attacks have risen, with Google Chrome being a prime target, necessitating stronger Chrome security measures.
- Reports indicate a Google Chrome 2FA bypass attack, exploiting vulnerabilities to bypass 2FA protections and potentially hack Google Chrome accounts.
- The latest 2FA attack on Google Chrome involved substituting Chrome extensions with malware variants, bypassing 2FA protections for affected users.
- Although Google Chrome security is robust, the recent 2FA bypass attack on Chrome extensions highlights the need for users to remain vigilant and take additional security measures.
