Cyberhaven, a data-loss prevention startup, has recently revealed that hackers launched a malicious update to its Chrome extension, enabling the theft of customer passwords and session tokens. This breach, which appears to be part of a suspected supply-chain attack, was disclosed in an email sent to affected customers. The incident underscores the growing risks associated with third-party software and the security of browser extensions.
The company confirmed the attack to TechCrunch but refrained from sharing specific details. According to an email obtained and published by security researcher Matt Johansen, the attackers compromised a company account to release the malicious update during the early hours of December 25. The update allowed sensitive data, such as authenticated sessions and cookies, to be exfiltrated to the attackers’ domain. Cyberhaven spokesperson Cameron Coles declined to comment on the specifics of the email but did not contest its authenticity.
The Timeline of the Attack
Cyberhaven’s security team discovered the breach later on December 25 and took swift action to mitigate the damage. The compromised version of the extension, labeled 24.10.4, was removed from the Chrome Web Store, and a legitimate replacement (version 24.10.5) was deployed shortly afterward. However, the damage may have already been done for users who had installed the malicious version
Cyberhaven’s browser extensions are designed to monitor for potentially harmful activities on websites and prevent data exfiltration. The Chrome Web Store indicates that the extension has a substantial user base of approximately 400,000 corporate customers, which includes prominent organizations such as Motorola, Reddit, and Snowflake, alongside law firms and health insurance companies. Despite this wide reach, Cyberhaven has not disclosed the number of customers directly impacted by the breach.
Recommendations for Affected Users
In its communication to customers, Cyberhaven recommended urgent action to minimize potential risks. Affected users were advised to revoke and reset all credentials, including passwords and API tokens. The company also urged users to review their activity logs for any signs of malicious behavior. Stolen session tokens and cookies pose a significant risk, as they can be used to bypass security measures like two-factor authentication, granting attackers unauthorized access to accounts without the need for passwords.
However, the email did not clarify whether customers should reset credentials for other accounts stored in the Chrome browser. When questioned by TechCrunch, Cyberhaven declined to provide additional guidance on this matter.
The Breach’s Root Cause
The attackers reportedly compromised Cyberhaven’s “single admin account for the Google Chrome Store” to execute the breach. Details about how this account was accessed remain unclear, as does the specific security protocol in place at the time. Cyberhaven stated that it has launched a comprehensive review of its security practices and plans to implement additional safeguards based on the findings.
To address the breach, Cyberhaven enlisted the services of Mandiant, a renowned incident response firm, and is cooperating with federal law enforcement agencies. This proactive approach demonstrates the company’s commitment to mitigating the impact of the attack and preventing future incidents.
A Broader Campaign Targeting Chrome Extensions
Evidence suggests that Cyberhaven may not have been the sole target of this attack. Jaime Blasco, the co-founder and CTO of Nudge Security, highlighted that several other Chrome extensions were compromised as part of what appears to be a larger campaign. These extensions reportedly cater to a diverse user base and include tools related to AI, productivity, and VPNs.
Blasco theorized that the attackers’ strategy was opportunistic, targeting extensions based on the availability of compromised developer credentials rather than singling out specific companies. He also suggested that the campaign may have begun earlier in the year, indicating a prolonged and coordinated effort.
Cyberhaven’s own statement aligns with Blasco’s assessment. The company acknowledged public reports suggesting that the attack was part of a widespread effort to exploit Chrome extension developers across various organizations. However, the identity of the attackers and the full extent of the campaign remain unknown. Other affected companies and their compromised extensions have yet to be confirmed.
Implications for Browser Extension Security
The incident highlights significant vulnerabilities in the browser extension ecosystem. Extensions often require elevated permissions to function, making them attractive targets for cybercriminals. When compromised, they can provide attackers with direct access to sensitive user data, as seen in this case.
Cyberhaven’s breach raises questions about the security measures that companies and developers should adopt to protect their extensions. The reliance on single admin accounts for publishing updates, for instance, represents a potential point of failure. Implementing multi-factor authentication, rigorous access controls, and regular security audits could help mitigate such risks in the future.
The Role of Incident Response
The involvement of Mandiant underscores the importance of a swift and effective incident response. By partnering with a specialized firm, Cyberhaven can thoroughly investigate the breach, identify vulnerabilities, and strengthen its defenses. Cooperation with federal authorities also plays a crucial role in tracking down the perpetrators and preventing similar attacks on other organizations.
Moving Forward
Cyberhaven’s experience serves as a cautionary tale for companies relying on browser extensions to deliver critical functionality. The incident underscores the need for robust security measures, including strong authentication protocols, routine monitoring, and a proactive approach to threat detection. Users, too, must remain vigilant, updating software regularly and scrutinizing permissions granted to browser extensions.
As the investigation unfolds, the cybersecurity community will undoubtedly glean valuable insights from this breach. These lessons will be instrumental in bolstering the security of browser extensions and safeguarding user data in an increasingly interconnected digital landscape.