Attack confirmed to bypass Google Chrome two-factor authentication

In December 2024, a series of attacks targeted Google Chrome users, focusing on bypassing two-factor authentication (2FA). These attacks were initiated by hackers who compromised several browser extensions, impacting approximately 2.6 million users. Initially surfacing on December 24, the attack exploited a phishing scheme that successfully deceived an employee of the security company Cyberhaven, providing hackers with credentials to access the Google Chrome Web Store. The phishing attempt involved sending an alleged policy violation email from a fake Chrome Web Store domain, urging the developer to act swiftly. Upon clicking the link provided in the email, the employee inadvertently authorized a malicious application, allowing attackers to upload a malicious version of their Chrome extension to the web store. The compromised extension enabled hackers to exfiltrate session cookies and authorized access to targeted websites, particularly social media and advertising platforms. The malicious version of Cyberhaven's extension was only active for a short time, specifically between December 25 and December 26. Once identified, Cyberhaven swiftly took action, removing the malicious extension and deploying a secure version. However, the potential scope of this attack highlighted ongoing vulnerabilities in the use of browser extensions and emphasized the need for improved security measures across platform developments. This incident not only affected individual users but also posed risks to the corporate customers of Cyberhaven, which counts around 400,000 organizations among its clientele. The incident signals how essential it is for software developers and companies to remain vigilant against phishing attacks, especially as hackers continue to advance their tactics to exploit unsuspecting individuals within corporate environments.