Exposing the Hidden Risks of Browser Extensions: Cyberhaven’s Breach Unveiled

Today’s digital landscape is under attack like never before. Threat actors are looking for the slightest “crack in the armor” to allow them to break through security barriers. Today’s workforce is more web-driven than ever and uses browsers to connect to SaaS applications, cloud storage, and many other applications. Browser extensions are used to help make the browser more powerful and have more capabilities. However, a recent cybersecurity incident emphasizes that while browser extensions can be helpful, they also bring with them a whole range of security concerns. Ironically, the cyber incident involves a cybersecurity firm’s own browser extensions. Let’s see what happened and how organizations can protect themselves.

What Happened in the Attack?

On December 24, Cyberhaven, a data loss prevention company, notified customers of a cyber incident that left at least five of their Chrome extensions compromised. The extensions were modified to inject malicious scripts with the purpose of stealing sensitive information from users, including logins, session cookies, and browsing history.

Cyberhaven has many high-profile customers that include the likes of Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, and others. The extension was no doubt a key target since it has users among large enterprise environments and it has been widely trusted in the past. 

Cyberhaven recognized the malicious extension and removed it approximately one hour after it was detected and notified customers via email. The next day, December 26, Cyberhaven posted a clean version update of the extension. However, by this time, the fallout was quite large. 

Customers were notified and urged to update to the clean version as soon as possible and also to perform the necessary sanitation of security credentials. This means changing all passwords, rotating all API tokens, and reviewing browser logs to make sure there is no malicious activity.

It helps to show that even though a well-known extension is “legitimate and trusted,” it doesn’t mean it is immune to attack or compromise. The breach emphasizes the security risks posed by third-party browser extensions, even those developed by trustworthy organizations.

How the Attack Happened

There were a series of events that led to the attack on the Cyberhaven Chrome plugins. Note how things unfolded.

1. Phishing attack: Attackers gained unauthorized access to the developer’s account on the Chrome Web Store evidently by means of a phishing attack. With the legitimate credentials, attackers could edit and modify the code without an immediate red flag. 
2. Supply chain attack: Once inside the developer’s account in the Chrome store, attackers added malicious scripts to the browser plugin code. The scripts had the purpose of capturing sensitive user data and sending the data to a remote server accessible to the attackers. 
3. Plugin updates: While keeping applications and software updated is generally a good thing, in this case, it played into the hands of attackers. The user’s browser plugins may have been set to automatically update once a new version of the plugin was published. This means as soon as the compromised version was available in the Chrome store, it may have been downloaded. As user’s extensions were updated, they were now vulnerable to the data exfiltration tactics of the attackers.
4. Data Exfiltration: When the script was downloaded, it is possible that it immediately began harvesting sensitive user information, including passwords, session cookies, API keys, and other sensitive information.
5. Detection: The malicious activity was eventually detected by cybersecurity researchers, leading to the extension’s removal from the Chrome Web Store. However, by the time this occurred, the damage had already been done, with potentially millions of users impacted.

Impacts on Businesses Worldwide

How do third-party applications and cyber incidents like this affect organizations worldwide? Organizations can be affected in many ways. Organizations that use SaaS applications are using solutions from many different vendors. Keeping an eye on the security of all third-party solutions is becoming more of a challenge due to the sheer number of solutions being used. Organizations must start using automated security solutions to perform risk assessments of third-party software, including SaaS applications.

This recent attack highlights the fact that organizations relying on employees to use browser extensions for productivity are exposed to potential data breaches, malware infections, and unauthorized access to corporate systems.

It also helps to emphasize the need for organizations to have security policies in place for visibility and control of third-party extensions and SaaS applications. While platforms like the Chrome store have some level of vetting, experienced attackers can still exploit shortcomings in the review process for apps. It highlights the need for businesses to take additional steps to protect their data and systems.

How businesses can protect themselves

This latest cybersecurity incident is a reminder that even browser plugins that are from trusted vendors can quickly become a security risk. Businesses have to be proactive about their SaaS app security. It is no longer enough to rely on SaaS vendors to make sure code is safe and uncompromised.

Here are key takeaways from the recent Chrome app breach:

1. Risk Assessments of third-party SaaS applications are required

Organizations need to have continual risk assessments of third-party SaaS applications. Browser extensions need to be vetted for use in the workplace. SecOps needs to maintain visibility to what apps and extensions users are using and have a way to control the apps and extensions to align with corporate security policies.

What are some key factors in determining the risk of third-party applications?

• Developer reputation – Who is the developer? Are they known? What is their reputation on the SaaS marketplace?
• Extension permissions – Organizations need to understand the types of permissions requested by various SaaS and third-party applications. Some plugins and extensions request very risky permissions.
• User reviews and ratings – How is the application rated? Often, poorly rated applications also have security issues that go hand-in-hand.
• Regularly auditing approved extensions for changes in ownership or behavior – A safe and trusted software application can change hands and be weaponized by a different developer or security vulnerabilities can easily be introduced in subsequent versions.

2. Limit permissions and access

Extensions often request permission to access sensitive browser data. Organizations should make sure the apps and extensions allowed only have access to the minimum data necessary to provide the feature set. For example, if an extension requires access to browsing history, is this really necessary?

Using tools that provide allow lists or block lists enables admins to control which applications users can use in the organization. This is a great way to prevent shadow IT operations and other nefarious software from being integrated with access to sensitive data.

3. Extension updates

This recent cyberattack shows we need to be careful to assume that all updates to third-party apps and browser extensions are safe. Automatic updates may introduce vulnerabilities if an application has been compromised, as with Cyberhaven.

Using cybersecurity automation to monitor extensions and SaaS applications running in the environment helps to maintain visibility on which versions are in production and any changes in extension behavior with specific releases.

4. Endpoint protection

Modern endpoint protection plays a major role in helping to make sure compromised extensions are detected and blocked from use. Endpoint Detection and Response (EDR) solutions help SecOps maintain real-time monitoring of applications and provide immediate response actions.

5. Cybersecurity training

Employee training is a crucial part of the overall cybersecurity strategy for organizations today. Users need to be educated about the risks that third-party apps and browser extensions can pose as well as the signs of phishing attempts through email or other means. 

6. Third-party extension scanning tools

The sheer magnitude and number of SaaS applications used by organizations today is beyond what can be monitored using manual human efforts. Effective cybersecurity automation tools can continuously scan browser extensions and SaaS applications to help level the playing field with attackers.

Spin.AI Browser Extension & App Risk Assessment 

• SpinMonitor – Free Extension Security Checker detects and assesses the risk of all browser extensions, including those pushed directly to the browser, providing full visibility into the potential business, security, and compliance risks of each extension. 
• Spin.AI Risk Assessment for SaaS Apps and Browser Extensions allows administrators and SecOps teams to establish cybersecurity policies to allow or block app or extension integrations based on comprehensive risk scores.

1. Risk Scores – SpinOne assigns risk scores to apps and extensions using Spin.AI’s extensive database of metrics and behavioral analysis. These scores give visibility to the potential threats the app or extension could pose to SaaS data, offering a clear and concise measure of their risk level.
2. Fully Automated Risk Assessments – SpinOne’s Risk Assessment capabilities deliver fully automated, continuous evaluations of apps and extensions in your environment. This functionality helps admins and SecOps teams to quickly analyze:
   1. Permissions requested by the app or extension
   2. Developer reputation and history
   3. Vulnerability records
   4. Compliance with leading security standards
   5. Additionally, SpinOne provides a historical risk score timeline, allowing teams to track changes in an app or extension’s security posture over time.
3. Compliance Support – SpinOne’s risk assessment tool helps to align security with critical compliance frameworks, such as GDPR, HIPAA, and CCPA. It provides insights into how well an app or extension adheres to key data protection regulations and certifications, including ISO 27001 and SOC 2. This helps organizations maintain regulatory compliance effortlessly.
4. Free Web-Based Tool – SpinOne’s Risk Assessment tool is a free-to-use web application. No registration is required—simply input the name of the app or extension, and SpinOne generates a detailed risk report within seconds. This streamlined feature enables frequent evaluations or quick audits of proposed apps and extensions from various business stakeholders.
5. AI-Powered Insights – The Risk Assessment tool leverages advanced machine learning algorithms to ensure precise risk evaluations. These cutting-edge algorithms proactively uncover risks before manual assessments could. With access to a database of over 400,000 pre-assessed and cataloged apps and extensions, SpinOne delivers unparalleled accuracy and depth.
6. Policy-Based Control – SpinOne’s Risk Assessment tool is fully policy-driven, allowing admins and SecOps teams to craft policies for allowing or blocking apps or extensions based on their risk scores. These policies are continuously reinforced by automated risk assessments, ensuring apps and extensions are consistently scrutinized from a security perspective.
7. Misconfiguration Detection – Recognizing the critical threat of cloud misconfigurations, SpinOne incorporates advanced misconfiguration detection capabilities. Completely API-based and agentless, this feature identifies and addresses misconfigurations to bolster cloud security proactively.

SpinOne offers a solution that helps organizations meet the challenges of using these integrations in a way that is controlled, governed, and secure. If you would like to schedule a demo of the SpinOne solution, click here: Demo SpinOne SaaS Security Platform.