Google Chrome 2FA Bypass Attacks Confirmed—Millions Of Users At Risk

Update, Dec. 31, 2024: This story, originally published Dec. 29 now includes an explanation of how 2FA bypass session cookie compromise works, advice from security experts about mitigating this attack and support from Google reading Chrome browser extension security matters.

Hackers don’t take holidays, as has been proven by a series of compromises of Google Chrome browser extensions dating back to mid-December and continuing through the seasonal break would attest to. Here’s everything you need to know about the ongoing Google Chrome two-factor authentication bypass attacks.

ForbesCritical Gmail Warning—Don’t Click Yes To These Google Security AlertsBy Davey Winder

The Latest Google Chrome Browser Extension Attacks Explained

As reported Dec. 27 by Reuters, “hackers have compromised several different companies’ Chrome browser extensions in a series of intrusions.” That threat actors are using Chrome extensions as an attack methodology is nothing new, but the extent of this latest campaign would appear to show how determined hackers are to steal session cookies and bypass your two-factor authentication protections.

Although just one part of what would appear to be a coordinated and wide-reaching campaign to target multiple companies and their Chrome extensions, the total number of users at risk is likely in the millions; the attack against security company Cyberhaven is worth looking at as it both explains the potential dangers of such attacks, with some 400,000 corporate customers alone, and provides an insight into how quickly responding to them is key.

“Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven’s Chrome extension,” Howard Ting, CEO of the data attack detection and incident response company, said in a security alert posting, “We want to share the full details of the incident and steps we’re taking to protect our customers and mitigate any damage.”

ForbesDark Web Facial ID Farm Warning—Hackers Build Identity Fraud DatabaseBy Davey Winder

The Cyberhaven Chrome Extension Attack

The attack against Cyberhaven customers started Dec. 24 when a phishing threat successfully managed to compromise an employee. Importantly, this included a credentials compromise that enabled the attacker to gain access to the Google Chrome Web Store. “The attacker used these credentials to publish a malicious version of our Chrome extension,” Ting confirmed. The malicious extension wasn’t discovered until late on Dec. 25 after which it was removed within 60 minutes.

A preliminary investigation into the attack revealed that the initial access vector was by way of a phishing email sent to the registered support email for Cyberhaven’s Chrome extension, targeting the developers. Cyberhaven has made this email available so as to warn others of what such an initial attack looks like.

When the victim clicked on the link, they found themselves within the Google authorization flow for “adding a malicious OAUTH Google application called Privacy Policy Extension,” Cyberhaven said. This was hosted on Google.com and part of the standard process for granting access to third-party Google applications that, in this case, inadvertently authorized a malicious application. “The employee had Google Advanced Protection enabled and had MFA covering his account,” Cyberhaven said. No multi-factor authentication prompt was received and the employee’s Google credentials were not compromised in the attack. A malicious extension (24.10.4) based on a clean prior version of the official Cyberhaven Chrome extension was then uploaded to the Chrome Store.

ForbesElon Musk Xmail Teaser Poses New Threat For Billions Of Gmail UsersBy Davey Winder

Chrome Extension Attack—A 2FA Bypass Explained

Although two-factor authentication remains a vital layer in your credential verification security protections, that doesn’t mean it is invulnerable to attack. People often assume incorrectly that only the likes of 2FA by way of SMS text messages are open to interception and that using a code-generating authentication app is the silver bullet. While apps are a much stronger method of using 2FA for most people, and SMS codes are still better than no 2FA protection, attackers can still bypass this authentication layer. Actually, they don’t precisely bypass it but clone it. An attacker will, by whatever method, redirect the victim to a genuine-looking login page where credentials are entered. When it comes to the 2FA code entry part, by using an attacker-in-the-middle technique, the session cookie that is created when a correct code is entered is captured and stored for later use. This cookie does what it says on the tin, flagging that user session as appropriately authorized. Of course, if an attacker has a copy of that cookie they can then re-run that session at their leisure and still be seen as the authenticated user.

Chrome Extension 2FA Bypass Attack—Impact And Scope

According to Ting, the impact and scope of the Cyberhaven Chrome extension attacks as follows:

The only version of the Chrome extension impacted was 24.10.4, with the malicious code only being active between Christmas Day and Boxing Day. Only customers using Chrome-based browsers that auto-updated during the period of the attack would have been affected.

For those browsers that were running the compromised extension, however, Cyberhaven has confirmed that it “could have exfiltrated cookies and authenticated sessions for certain targeted websites.” The initial investigation suggests that the targeted logins were social media advertising and AI platforms.

“Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised,” Ting said.

ForbesBeware Feb. 3, 2025—Diabolic Ransomware Gang Issues New Attack WarningBy Davey Winder

How To Mitigate 2FA Bypass Attacks—And Respond To The Cyberhaven Chrome Extension Incident

With the Federal Bureau of Investigation warning people on Oct. 30 about session cookie theft by cybercriminals in order to bypass 2FA account protections, the time to be aware and mitigate the risk of these attacks is long overdue. There are “numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks,” a Google spokesperson said, “Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.”

One of the problems is that employees will often click through single sign-on and authorization screens, potentially granting permissions to unknown third-party apps, Vivek Ramachandran, founder of SquareX, said. “On the server side, this could be prevented by disallowing apps that request risky OAuth scopes unless they are authorized. While creating a whitelist isn’t always practical and can reduce productivity, a client-side Browser Detection-Response tool can step in.”

When it comes to this specific attack, affected customers were notified by Cyberhaven, along with those not known to be impacted in the cause of complete transparency. The malicious Chrome extension was removed from the Chrome Web Store, and a secure version, 24.10.5, was automatically deployed. “For customers running version 24.10.4 of our Chrome extension during the affected period,” Ting said, “we strongly recommend verifying your extension has updated to version 24.10.5 or newer.” I have approached Google for a statement.

ForbesFBI Warns Of Brute-Force Password Spy Attacks—What You Need To KnowBy Davey Winder

What Google Says About Staying Safe And Secure When Using Chrome Web Browser Extensions

Benjamin Ackerman, Anunoy Ghosh and David Warren, part of the Chrome security team, have provided the following advice when it comes to staying safe as far as Chrome extensions are concerned.

Acknowledging, quite rightly, that like any software, a Chrome extension can introduce risks as well as benefits, the Google Chrome security team posting explains how it exists with a single focus: keeping you safe as you install and take advantage of Chrome extensions.

The team does this by:

• Providing users with a personalized summary of all the Chrome browser extensions they have installed.
• Reviewing all extensions before they’re published on the Chrome Web Store.
• Continuously monitoring those extensions after they’re published.

By entering “chrome://extensions” in your browser address bar, you will see a list of any extensions that you have installed that could potentially pose a security risk. If you don’t see this warning panel, although there is no 100% guarantee, it does likely mean you don’t have any dodgy extensions installed, the Chrome security team said. What the warning panel, if shown, does include are details of:

• Extensions suspected of including malware.
• Extensions that violate Chrome Web Store policies.
• Extensions that have been unpublished by a developer, which might indicate that an extension is no longer supported.
• Extensions that aren’t from the Chrome Web Store.
• Extensions that haven’t published what they do with data they collect and other privacy practices.

ForbesNew Windows Security Warning As Russian Cyberattacks ConfirmedBy Davey Winder

The Chrome security team also recommended that you run a Chrome Safety Check by typing “run safety check” in the Chrome address bar and then selecting “Go to Chrome safety check.” That said, the safety check will notify you automatically if it has recommendations regarding your safety, but it never hurts to be proactive if you ask me.

How The Google Security Team Checks Extensions Before Publication To The Chrome Web Store

“Before an extension is even accessible to install from the Chrome Web Store,” Ackerman, Ghosh and Warren said, “we have two levels of verification to ensure an extension is safe.” The first is an automated review whereby every Chrome browser extension is analyzed by Google’s AI-powered machine-learning systems to spot potential violations or any suspicious behaviors. Then comes the human review, where a Chrome security team member will examine images, descriptions and public policies attached to each and every extension. “Depending on the results of both the automated and manual review,” the Chrome security team said, “we may perform an even deeper and more thorough review of the code.” In 2024, Google said less than 1% of all installs from the Chrome Web Store were found to include malware. “We’re proud of this record, and yet some bad extensions still get through,” the security team said, “which is why we also monitor published extensions.”

The Chrome security team reviews extensions that are already on the Chrome Web Store, and as with the security pre-check, this involves both human and machine processes. Google said that it also works with external security researchers, some of whom receive bug bounties, to find and report potential Chrome threats through the Developer Data Protection Rewards Program.

ForbesGoogle User Data Purge Underway—What You Need To KnowBy Davey Winder

When it comes to extensions updated over time, programmed to execute malicious code at a later date, Google’s Chrome security team does its best to catch these as well. However, as we’ve seen with this incident, that doesn’t always work as efficiently as we would like or, to be honest, expect. The process involves periodically reviewing what extensions are doing and comparing that activity to objectives defined by each extension in the Chrome Web Store. “If the team finds that an extension poses a severe risk to Chrome users,” the security team said, “it’s immediately removed from the Chrome Web Store, and the extension gets disabled on all browsers that have it installed.” Despite all of the above, Google said, it’s still recommended that Chrome users review extensions from time to time as well as enabling the enhanced protection mode of Safe Browsing which offers the Chrome’s highest level of protection.