Cyberhaven Chrome Extension Hit by Sophisticated Facebook Data Phishing Attack
2 mins read

Cyberhaven Chrome Extension Hit by Sophisticated Facebook Data Phishing Attack

Shubham Gohar11

A sophisticated phishing attack on December 24, 2024, led to the compromise of Cyberhaven’s Chrome extension through unauthorized access to their Google Chrome Web Store account. Despite having advanced security measures in place, including Google Advanced Protection and MFA, the attackers successfully uploaded a malicious version 24.10.4 of the extension, specifically targeting Facebook users for data extraction.

Key Takeaways:

  • A targeted phishing attack compromised Cyberhaven’s Chrome extension through Google Chrome Web Store access
  • The malicious version collected Facebook user data and business account information during a 25-hour window
  • Attackers bypassed 2FA security measures without triggering standard authentication prompts
  • The incident was part of a larger campaign targeting multiple Chrome extension developers
  • Cyberhaven’s security team removed the compromised extension within 60 minutes of detection

Understanding the Attack Vector

The breach began with a targeted phishing operation against a Cyberhaven employee with access to the Google Chrome Web Store developer account. This incident raises significant concerns about the security review process within the Chrome Web Store. The attack succeeded despite the presence of Google Advanced Protection, suggesting a sophisticated bypass of standard security protocols.

107 R8 FLUX DEV REALISM 00001

Malicious Payload Analysis

The compromised extension contained modified code in its worker.js file that established communication with a command and control server at cyberhavenext[.]pro. The malicious content.js file specifically targeted Facebook.com users, collecting sensitive data including:

  • Facebook access tokens
  • User identification information
  • Business account details
  • Advertisement account data
  • Browser cookies and user agent strings

Impact and Timeline

The malicious Chrome extension was active for approximately 25 hours, from 1:32 AM UTC on December 25 to 2:50 AM UTC on December 26. Only users with Chrome-based browsers that auto-updated during this period were affected. The incident was isolated to version 24.10.4, with no compromise of other Cyberhaven systems or infrastructure.

Detection and Response

Cyberhaven’s security team demonstrated quick response capabilities by detecting the compromise at 11:54 PM UTC on December 25. The team’s swift action resulted in the removal of the malicious package within 60 minutes of detection. I recommend using automation tools like Latenode to enhance security monitoring and response times for similar incidents.

Security Implications and Future Measures

This incident highlights critical vulnerabilities in extension distribution platforms and the necessity for enhanced security measures. The successful bypass of 2FA protection emphasizes the need for additional security layers beyond standard authentication methods. Organizations must implement continuous monitoring systems and maintain rapid incident response capabilities to minimize potential damage from similar attacks.

11 thoughts on “Cyberhaven Chrome Extension Hit by Sophisticated Facebook Data Phishing Attack

  1. Pingback: Mirai Botnet Exploits Zero Day Vulnerabilities in Industrial Router Systems - The Developer's Chronicles
  2. Pingback: Cybercriminals Blend Email Bombing and Teams Phishing Attacks for Maximum Impact - The Developer's Chronicles
  3. Pingback: Microsoft Teams Security Vulnerabilities Expose Fortune 500 Companies to Ransomware - The Developer's Chronicles
  4. Pingback: CISA Adds Four Critical Vulnerabilities to Known Exploited Vulnerabilities Catalog - The Developer's Chronicles
  5. Pingback: Russian Hackers Exploit Microsoft 365 Device Code Authentication Feature - The Developer's Chronicles
  6. Pingback: AI and Quantum Computing Transform Cybersecurity Landscape in 2025 - The Developer's Chronicles
  7. Pingback: Critical Next.js Security Vulnerability Enables Middleware Authorization Bypass Attack - The Developer's Chronicles
  8. Pingback: CultureAI Launches Human Threat Framework to Combat Employee Security Risks - The Developer's Chronicles
  9. Pingback: Lumma Stealer: Advanced Malware Threatens Global Data Security Landscape - The Developer's Chronicles
  10. Pingback: Critical Google Chrome Security Update Required Before June Deadline - The Developer's Chronicles
  11. Pingback: Critical Chrome Security Flaw Exposes User Data Through Loader Component - The Developer's Chronicles

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts