SquareX reveals critical breach of Cyberhaven extension

SquareX has revealed a critical browser security incident targeting Chrome Extension developers, leading to a major compromise of Cyberhaven's browser extension.

SquareX reported that a malicious version of Cyberhaven's browser extension was published on the Chrome Store on 25 December 2024. This incident enabled attackers to hijack authenticated sessions and exfiltrate sensitive information. Despite the compromised extension being removed after 30 hours, over 400,000 users were affected.

SquareX researchers had demonstrated the attack pathway via a video a week prior to the breach, identifying an OAuth-based attack aimed at seizing control of Chrome Extensions from the Chrome Store. The attack lures developers through phishing emails that impersonate official communications from the Chrome Store. These emails claim a violation of the "Developer Agreement" and prompt the recipient to connect to a "Privacy Policy Extension", thereby granting attackers permission to alter and publish extensions from the developer's account.

SquareX highlighted that extensions have become attractive entry points for attackers, due to organisations' limited oversight of the extensions used by employees. Security teams often do not monitor changes post-approval of an extension, allowing attackers to replace legitimate extensions with malicious ones. In Cyberhaven's instance, this led to the exfiltration of company credentials through trusted web applications.

Because developer contact emails are publicly available on the Chrome Store, attackers can easily target numerous developers. These emails are primarily used for bug reporting and can often route to developers who may not be well-versed in identifying such threats. As the Cyberhaven breach occurred shortly after SquareX's disclosure, the company suspects that similar attacks are underway against other browser extension providers.

SquareX strongly recommends thorough scrutiny before installing or updating browser extensions to prevent such breaches.

In their research, SquareX outlined the complexities involved in evaluating browser extensions, especially for zero-day attacks. The company noted that the fake privacy policy app involved in the Cyberhaven breach was not detected by popular threat feeds, illustrating the challenges of identifying such sophisticated threats.

To aid security teams, SquareX's Browser Detection and Response (BDR) solution offers several protective measures. These include blocking unauthorised OAuth interactions, flagging suspicious extension updates, monitoring sudden surges in negative reviews, and controlling the installation of sideloaded extensions. It also provides full visibility of all browser extensions used within an organisation.

Vivek Ramachandran, Founder of SquareX, commented, "Identity attacks targeting browser extensions similar to this OAuth attack will only become more prevalent as employees rely on more browser-based tools to be productive at work. Similar variants of these attacks have been used in the past to steal cloud data from apps like Google Drive and OneDrive, and we will only see attackers get more creative in exploiting browser extensions. Companies need to remain vigilant and minimise their supply chain risk without hampering employee productivity by equipping them with the right browser native tools."