Confirmed Incidents of Google Chrome 2-Factor Authentication Bypass: Potential Threat to Millions of Users' Security

Confirmed Google Chrome Two-Factor Authentication Bypass Assaults Impact Multitudes of Users, Potentially Endangered

Update, Dec. 31, 2024: This article, originally published Dec. 29 now includes an explanation of how 2FA bypass session cookie compromise works, advice from security experts about mitigating this attack and support from Google regarding Chrome browser extension security matters.

Cybercriminals don't take breaks, as demonstrated by a string of compromises of Google Chrome browser extensions dating back to mid-December and continuing through the holiday season. Here's what you need to know about the continuing Google Chrome two-factor authentication (2FA) bypass attacks.

The Recent Google Chrome Browser Extension Attacks Explained

December 27 saw Reuters report that "hackers have compromised several different companies' Chrome browser extensions in a series of intrusions." It's not a new tactic for hackers to use Chrome extensions as an attack vector, but the scale of this latest campaign suggests just how determined they are to steal session cookies and bypass 2FA protections.

Although only one part of what appears to be a coordinated and wide-reaching campaign targeting multiple companies and their Chrome extensions, the number of users at risk is likely in the millions. An attack against security company Cyberhaven is worth examining, not only for its potential dangers but also for its speed of response. With over 400,000 corporate customers, the swiftness with which Cyberhaven responded to the attack is both a warning and a lesson.

"Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven's Chrome extension," Howard Ting, CEO of the data attack detection and incident response company, said in a security alert posting, "We want to share the full details of the incident and steps we’re taking to protect our customers and mitigate any damage."

The Cyberhaven Chrome Extension Attack

The attack against Cyberhaven customers began on December 24 when a phishing attack successfully compromised an employee. Importantly, this included a credentials compromise, giving the attacker access to the Google Chrome Web Store. Using these credentials, the attacker published a malicious version of Cyberhaven's Chrome extension. The malicious extension wasn't discovered until late on December 25 and was removed within 60 minutes.

A preliminary investigation into the attack revealed that the initial access vector was a phishing email sent to the registered support email for Cyberhaven's Chrome extension, targeting its developers. Cyberhaven has made this email available to warn others of what such an initial attack looks like.

When the victim clicked on the link, they were directed to the Google authorization flow for "adding a malicious OAUTH Google application called Privacy Policy Extension," according to Cyberhaven. This was hosted on Google.com and was part of the standard process for granting access to third-party Google applications. Although the employee had Google Advanced Protection enabled and multi-factor authentication covering their account, no multi-factor authentication prompt was received, and their Google credentials were not compromised. A malicious extension (24.10.4) based on a clean prior version of the official Cyberhaven Chrome extension was then uploaded to the Chrome Store.

Chrome Extension Attack—A 2FA Bypass Explained

Although two-factor authentication remains a crucial layer in your credential verification security protections, that does not mean it is invulnerable to attack. People often incorrectly assume that only SMS text message 2FA is open to interception, and using a code-generating authentication app is the silver bullet. While apps are a much stronger method for most people, SMS codes are still better than no 2FA protection, but attackers can still bypass this authentication layer. They don't precisely bypass it but clone it. An attacker will use an attacker-in-the-middle technique to capture the session cookie that is created when a correct code is entered and later use that cookie to re-run the session as the authenticated user.

Chrome Extension 2FA Bypass Attack—Impact And Scope

According to Ting, the impact and scope of the Cyberhaven Chrome extension attacks are as follows:

The only version of the Chrome extension impacted was 24.10.4, with the malicious code only active between Christmas Day and Boxing Day. Only browsers that auto-updated during the attack period would have been affected.

For those browsers running the compromised extension, Cyberhaven has confirmed that it "could have exfiltrated cookies and authenticated sessions for certain targeted websites." The initial investigation suggests that the targeted logins were social media advertising and AI platforms.

"Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised," Ting said.

Mitigating 2FA Bypass Attacks And Responding To The Cyberhaven Chrome Extension Incident

With the Federal Bureau of Investigation warning people on October 30 about session cookie theft by cybercriminals in order to bypass 2FA account protections, it's long past time to be aware and take action to protect yourself. Some protections to combat such attacks include the use of passkeys, which substantially reduce the impact of phishing and other social engineering attacks. Google research has shown that security keys provide stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.

One issue often arises when workers click through single sign-on and authorization screens, potentially giving permissions to unidentified third-party apps, as pointed out by Vivek Ramachandran, SquareX's founder. To put a stop to this on the server side, apps requesting risky OAuth scopes shouldn't be allowed unless they've been authorized. Although making a whitelist might not always be feasible and could potentially decrease efficiency, a client-side Browser Detection-Response tool can take its place.

Regarding this specific attack, affected users were alerted by Cyberhaven, alongside those not directly affected in the pursuit of total transparency. The malicious Chrome extension was subsequently removed from the Chrome Web Store, and the secure version, 24.10.5, was automatically installed. Ting suggested that users running version 24.10.4 of the Chrome extension during the affected period should verify if their extension has been updated to version 24.10.5 or later. I reached out to Google for a comment.

Google's Advice on Safeguarding Yourself While Employing Chrome Web Browser Extensions

Members of the Chrome safety team, consisting of Benjamin Ackerman, Anunoy Ghosh, and David Warren, have shared these tips for staying secure when using Chrome extensions:

Recognizing that, like any software, Chrome extensions can present both advantages and risks, the Chrome safety team emphasizes its primary goal: ensuring user safety as extensions are installed and utilized.

The team achieves this objective by:

Offering users a personalized rundown of all the Chrome browser extensions installed on their device.
Examining all extensions prior to their publication on the Chrome Web Store.
Continually inspecting those extensions once they've been published.

Enter "chrome://extensions" into your browser's address bar to view a list of any possibly dangerous extensions. If you don't view a warning panel, despite the absence of a guarantee, it likely means there are no dubious extensions installed, according to the Chrome safety team. A warning panel, when present, includes information on:

Extensions suspected of containing malware.
Extensions violating the Chrome Web Store's policies.
Extensions that have been withdrawn from the store by a developer, possibly indicating that an extension is no longer supported.
Extensions not from the Chrome Web Store.
Extensions that don't detail their data collection and privacy practices.

The Chrome safety team also suggested running a Chrome Safety Check by typing "run safety check" in the Chrome address bar and selecting "Go to Chrome safety check." Although the safety check will notify you if it has suggestions regarding your security, it's always a good idea to be proactive, in my opinion.

How the Chrome Safety Team Evaluates Extensions Before Publishing to the Chrome Web Store

"Before a Chrome extension can be installed from the Chrome Web Store," Ackerman, Ghosh, and Warren stated, "we conduct two levels of verification to ensure its safety." The first level is automated, involving Google's AI-powered machine-learning systems analyzing every Chrome browser extension to detect potential violations or suspicious behavior. Subsequently, there's a human review, where a member of the Chrome safety team examines each extension's images, descriptions, and public policies. "Depending on the outcomes of both the automated and human review," the Chrome safety team said, "we may carry out a more extensive and thorough review of the code." In 2024, Google reported that less than 1% of all installations from the Chrome Web Store contained malware. "We're pleased with this figure," the security team said, "but some risky extensions still manage to slip through," which is why they also monitor published extensions.

The Chrome safety team evaluates extensions already present on the Chrome Web Store, employing both mechanical and human processes. Google collaborates with external security researchers, some of whom receive bug bounties, to uncover and report prospective Chrome threats through the Developer Data Protection Rewards Program.

Regarding extensions updated over time, designed to execute malicious code at a later date, Google's Chrome safety team endeavors to identify these as well. However, as was evident in this incident, this does not always succeed as efficiently as we'd like or, for that matter, expect. The procedure involves periodically checking what extensions are doing and comparing that activity to the objectives defined by each extension in the Chrome Web Store. "If the team finds that an extension poses a major risk to Chrome users," the security team said, "it is immediately removed from the Chrome Web Store, and the extension is disabled on all browsers with it installed." Despite these measures, Google encourages Chrome users to periodically review their extensions as well as enabling the enhanced protection mode of Safe Browsing, which offers Chrome's highest level of protection.

Despite Google's efforts to ensure Chrome extension security, cybercriminals managed to compromise several companies' Chrome extensions, including Cyberhaven, to bypass 2FA protections.
To mitigate 2FA bypass attacks, security experts advise using passkeys as they provide stronger protection against phishing and other social engineering attacks compared to SMS or app-based one-time passwords.
Google Chrome's safety team provides tips for users to stay secure while using Chrome extensions, including regularly checking the list of installed extensions for potential threats and running a Chrome Safety Check.
The Cyberhaven Chrome extension attack was a 2FA bypass attempt where the attacker successfully compromised an employee's credentials, gained access to the Google Chrome Web Store, and published a malicious version of the extension to bypass 2FA protections.
In response to the Cyberhaven incident, Google's Chrome safety team emphasized that while they conduct automated and human reviews of Chrome extensions before publishing them on the Chrome Web Store, some risky extensions might still slip through and that users should periodically review their extensions and enable Safe Browsing's enhanced protection mode.