More details have emerged about the Chrome extension 2FA bypass attacks
Update, Jan. 4, 2025: This story, originally published Jan. 2, now includes a link to details of all the known Chrome extensions to have been targeted by the hackers.
As I reported at the end of December, an ongoing attack aimed at bypassing two-factor authentication protections and targeting Google Chrome users was confirmed when a cybersecurity company confirmed that its browser extension had been injected with malicious code. It now appears that at least 35 companies had their Chrome extensions replaced with malware versions. Here’s everything you need to know about the 2FA bypass hack attacks as new information has emerged.
The Google Chrome 2FA Bypass Attack Timeline
Hackers don’t take holidays: this should be a mantra for all users and defenders when it comes to cybersecurity protection. A number of compromises involving Google Chrome web browser extensions started in mid-December and continued through the seasonal break. However, according to a new report from Bleeping Computer, the hackers behind the attacks were apparently testing their methodology and the technology used as far back as March 2024, with the domains used to pull it all off registered in November and early December. “Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven's Chrome extension,” Howard Ting, CEO of the data attack detection and incident response company, said in a security alert posting, “We want to share the full details of the incident and steps we’re taking to protect our customers and mitigate any damage.”
The Cyberhaven attack began when an employee was successfully phished, giving the hackers credentials to gain developer access to the Google Chrome Web Store. This enabled them to publish a malicious version of the Chrome extension used by Cyberhaven, which contained code to exfiltrate session cookies and so bypass 2FA protections for anyone who fell victim. The attack started on Dec. 24 and was discovered late on Dec. 25 when the extension was removed within 60 minutes.
New Details Emerge About Google Chrome 2FA Bypass Attack Methods
As reported by the team at Bleeping Computer, the 2FA bypass Chrome hack attack appears to have compromised at least 35 browser extensions, with some 2.6 million users potentially impacted. The hack attack seems to have started in earnest against the targeted extension developers on Dec. 5, with, and I know this term is overused, what developers are calling a sophisticated phishing email. Seemingly coming from possible Chrome Web Store domains (they were, of course, all fake) and detailing a Chrome extension policy violation. OK, so maybe not that sophisticated after all: fake domains that wouldn’t have stood up to close inspection, coupled with a sense of urgency. The urgency being that the extension would be removed if the policy violation was not corrected.
"We do not allow extensions with misleading, poorly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata, including but not limited to the extension description, developer name, title, icon, screenshots, and promotional images,” the email seen by Bleeping Computer read. Of course, the victim is then directed to a policy check landing page which actually harvests credentials needed to grant access to Google resources for third-party app developers. "The employee followed the standard flow and inadvertently authorized this malicious third-party application," Cyberhaven said“ in a preliminary incident report.
An analysis of the indicators of compromise for these attacks, Bill Toulas, a reporter at Bleeping Computer, said, “showed that the attackers were after the Facebook accounts of users of the poisoned extensions.” It would appear that a mouse click event listener was specifically looking for QR code images related to Facebook’s 2FA mechanisms.
I have reached out to Google and Facebook for a statement.
Following contact with John Tuckner, the founder of browser extension analysis firm Secure Annex, the senior security editor at Art Technica, Dan Goodin, has published details of all the Chrome extensions thought to have been impacted by this attack.
Chrome Protections Against 2FA Bypass Attacks
Google Chrome uses app-bound encryption, which encrypts data tied to identity in much the same way as macOS users experience with Keychain protection. This prevents any app running as the logged-in user from gaining access to secrets such as session cookies which are used in 2FA bypass attacks. Google also provides protections such as safe browsing, device-bound session credentials and Google’s account-based threat detection feature. There are “numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks,” a Google spokesperson said, “Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.”
