Critical Vulnerability in Google Chrome: Millions Exposed to 2FA Bypass Threats
On Dec. 29, this story now includes an in-depth explanation of how 2FA bypass via session cookie compromise works, along with expert advice on mitigating malicious Chrome extension attacks.
Hackers don’t take holidays, as demonstrated by a series of Google Chrome browser extension compromises that began in mid-December and have persisted through the holiday season. Here’s everything you need to know about the ongoing two-factor authentication (2FA) bypass attacks targeting millions of Chrome users.
Explaining the Latest Chrome Extension Attacks
On Dec. 27, Reuters reported that hackers had breached multiple companies by exploiting their Chrome browser extensions. While using extensions as an attack vector is not new, the scale of this campaign underscores the determination of threat actors to steal session cookies and bypass 2FA protections.
This attack is part of a broader and coordinated effort targeting numerous companies, placing millions of users at risk. For instance, the attack on Cyberhaven, a security firm with over 400,000 corporate customers, highlights the dangers posed by such breaches. It also emphasizes the importance of swift response measures.
Howard Ting, CEO of Cyberhaven, provided details in a security alert:
“Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven’s Chrome extension. We want to share the full details of the incident and the steps we’re taking to protect our customers and mitigate any damage.”
The Cyberhaven Chrome Extension Attack: A Timeline
The Cyberhaven incident began on Dec. 24, when a phishing email successfully compromised an employee. The attacker used the stolen credentials to access the Google Chrome Web Store and publish a malicious version of the company’s Chrome extension.
Key details of the attack include:
- Initial Access Vector: A phishing email targeted the support email address linked to Cyberhaven’s Chrome extension.
- Google OAUTH Exploit: The phishing link led to the Google authorization flow, tricking the victim into adding a malicious OAUTH application called “Privacy Policy Extension.”
- Advanced Protection Bypassed: Despite the victim’s use of Google Advanced Protection and multi-factor authentication (MFA), the attack succeeded without triggering an MFA prompt.
By late Dec. 25, Cyberhaven detected and removed the malicious extension within 60 minutes. A preliminary investigation revealed the attacker had modified version 24.10.4 of the extension based on a clean prior version.
Mitigating the Risk of Malicious Chrome Extensions
Cyberhaven has shared the phishing email used in the attack to help others recognize and avoid similar threats. Security experts advise users to:
- Regularly verify Chrome extensions for unexpected updates or changes.
- Enable advanced threat protection features when available.
- Educate employees about identifying phishing attempts and suspicious applications.
The incident highlights the need for vigilance, especially during high-risk periods like the holiday season, when attackers are particularly active.
How to Mitigate 2FA Bypass Attacks and Lessons from the Cyberhaven Incident
The Federal Bureau of Investigation (FBI) has been sounding the alarm about session cookie theft since Oct. 30, warning that cybercriminals are using this method to bypass two-factor authentication (2FA) protections. With these attacks on the rise, understanding how to mitigate risks is more critical than ever.
“There are numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks,” a Google spokesperson explained. “Google research shows that security keys offer stronger protection against automated bots, bulk phishing, and targeted attacks compared to SMS, app-based one-time passwords, or other traditional 2FA methods.”
Why OAuth Permissions Are a Critical Vulnerability
One major issue is that employees often unknowingly grant permissions to malicious third-party apps by clicking through single sign-on and authorization screens. “On the server side, this could be mitigated by blocking apps that request risky OAuth scopes unless explicitly authorized,” said Vivek Ramachandran, founder of SquareX. “While maintaining a whitelist may not always be practical and could reduce productivity, a client-side Browser Detection-Response tool can help bridge the gap.”
How Cyberhaven Responded to the Attack
In the recent Cyberhaven Chrome extension incident, the company notified both affected and unaffected customers to maintain full transparency. The malicious version of the extension was quickly removed from the Chrome Web Store, and a secure update (version 24.10.5) was automatically deployed to users.
Best Practices to Mitigate 2FA Bypass Risks
To reduce the likelihood of falling victim to these types of attacks, experts recommend:
- Adopt Advanced Authentication Methods: Use security keys or passkeys instead of traditional 2FA methods like SMS.
- Educate Employees: Train staff to recognize phishing attempts and be cautious when granting permissions to third-party apps.
- Implement Client-Side Detection Tools: Use browser-based tools to flag and respond to suspicious activity in real-time.
- Limit Risky OAuth Scopes: Enforce policies to restrict applications requesting high-risk permissions.
- Stay Transparent and Act Quickly: If an incident occurs, notify affected parties immediately, remove compromised extensions or apps, and deploy secure updates promptly.
By combining these practices, organizations can better protect themselves against sophisticated 2FA bypass techniques and ensure a more secure online environment.
