⚡️Key Takeaways
- A sophisticated phishing attack compromised Cyberhaven’s Chrome extension, allowing attackers to target customers’ Facebook Ads accounts while bypassing multiple security controls
- Despite implementing MFA and Google Advanced Protection, legitimate OAuth workflows were exploited to gain developer access
- The attack reveals how threat actors are evolving beyond traditional phishing to target development platforms and software distribution channels
- Our Threat Research team has compiled recommendations for adopting the necessary preparedness for these types of attacks.
What Happened?
On December 24, 2024, a phishing attack compromised a Cyberhaven employee’s access to the Google Chrome Web Store. The attacker used this access to upload a malicious version of Cyberhaven’s Chrome extension (version 24.10.4).
This incident was part of a larger campaign targeting Chrome Extension Developers, primarily aimed at exploiting people with access to Facebook Ads accounts. The malicious extension was distributed to a segment of Cyberhaven’s customers, prompting an ongoing investigation in collaboration with a third-party security response team.
How did the attack unfold?
1. The initial access method
The attacker sent a phishing email to Cyberhaven’s publicly listed support email. When the employee clicked the link, they were redirected to a legitimate Google authorization flow for a malicious OAuth application named “Privacy Policy Extension.” Despite multi-factor authentication (MFA) and Google Advanced Protection being enabled, the attacker successfully gained access.
Image by Cyberhaven via https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension
2. Uploading the malicious extension
The attacker uploaded a malicious version of Cyberhaven’s Chrome extension. The extension passed the Chrome Web Store’s security review and replaced the legitimate version. The malicious extension was a modified copy of the clean version, embedding additional code to execute malicious activities, which went undetected by Chrome.
3. What the malicious extension contained
The malicious extension included two files:
- worker.js: Connected to a Command and Control (C&C) server to download configurations and register event listeners for executing HTTP calls.
- content.js: Collected and exfiltrated user data, targeting Facebook Ads accounts. It retrieved sensitive information and sent this data to the attacker’s C&C server.
4. Data exfiltration
If a user logged into Facebook.com, the malicious extension extracted:
- Facebook access tokens
- User and account details via Facebook APIs
- Cookies and user agent strings
This data was then packaged and sent to the C&C server for exploitation.
5. Mouse Click Events
The malicious script monitored mouse clicks on Facebook.com to detect QR codes, potentially aiding attackers in bypassing CAPTCHA or MFA.
What does this mean for identity security?
While this specific attack was aimed at gaining access to Google Web Store and Facebook Ads accounts respectively, the same vector can be used to access other types of accounts as well, namely SaaS applications that are known to be highly interconnected and contain an organization’s most sensitive data, especially within core apps like Salesforce, Microsoft 365, Snowflake, and more.
Our recommendations
This attack on Cyberhaven demonstrates the sophistication of modern cyber attacks against identities, bypassing several security protection layers:
- The attack exploited authorization flow by leveraging legitimate OAuth consent processes. These aren’t protected by MFA, which is designed for authentication as opposed to authorization.
- The phishing attempt wasn’t detected by traditional email security solutions.
- Permissions were granted to the attacker’s malicious app, allowing them to act as the legitimate developer.
- Google Web Store reviews failed to detect the malicious code.
To effectively defend against such attacks, security teams should:
- Implement a proactive review process for OAuth applications requesting sensitive scopes, ensuring these applications undergo a thorough evaluation to assess their necessity and security posture before granting access.
- Build and maintain a comprehensive inventory of browser extensions to create an effective incident response strategy. This inventory allows teams to quickly assess the potential blast radius and take swift action in the event of a supply chain attack.
Proper tooling is essential to streamline these processes, enabling automated discovery, monitoring, and risk assessment of both OAuth applications and browser extensions, ensuring the organization stays ahead of emerging threats.
Final thoughts
Threat actors are evolving their tried-and-true techniques and traditional defenses alone aren’t able to protect against these sophisticated attacks. The Cyberhaven incident serves as a stark reminder of the evolving threats in the digital landscape. The lessons learned from this attack should motivate all organizations to reassess their security frameworks and prioritize holistic risk mitigation strategies to prevent similar breaches in the future.
The Obsidian Platform uses a wide range of advanced discovery mechanisms to inventory all federated and unfederated applications, OAuth connections, and browser extensions, giving security teams complete observability into their SaaS environment. To learn more about how Obsidian Security can help reduce SaaS risk and prevent identity threats like this one, download our solution overview here.