Browser extensions frequently grant extensive permissions to sensitive user information, including identity information, cookies, browsing history and data, passwords, web page content, text input, and audio/video capture. Unfortunately, many organizations may not know what extensions are installed on their systems, the permissions granted, or the vulnerabilities or attack vectors associated with the extensions, such as credential theft, account takeover, session hijacking, and data theft.

Threat actors can compromise developer accounts and publish malicious versions of these extensions to the store, which can result in harmful browser extensions being distributed to users when they are installed or updated. Once browser extensions are compromised, they are considered malicious and should be removed immediately, as threat actors can maintain access through live malicious extensions and exfiltrate data.

Last month, threat actors compromised a Cyberhaven account via a phishing campaign to push a new update with malicious code to the Chrome web store. Since then, additional compromised extensions have been discovered, exposing millions of users to data exposure and credential theft.

Furthermore, the NJCCIC received reports of several compromised browser extensions in Google Chrome and Microsoft Edge on multiple systems for various organizations. The compromised browser extensions include Visual Effects for Google Meet, AI Shop Buddy, ChatGPT Quick Access, Earny, Proxy SwitchyOmega, and Reader Mode.

Recommendations

• Use Group Policy Objects (GPOs) to help prevent users from installing browser extensions.
• Rotate passwords and tokens, clear session data (such as cookies, cache, saved passwords, and autofill forms), and review logs for suspicious activity.
• Check if extensions are listed and flagged as malware in the browser settings.
• Remove malicious browser extensions immediately.
• Keep browsers and anti-virus/anti-malware software up to date.