Cyberhaven: 8 New Compromised Extensions Exposed—1.1M Users Affected! Read the Full Blog Now
Home » Spin.AI Blog » SSPM » Browser Extensions » Exposing the Hidden Risks of Browser Extensions: Cyberhaven’s Breach Unveiled
January 10, 2025 | Updated on: January 16, 2025 | Reading time 10 minutes

Exposing the Hidden Risks of Browser Extensions: Cyberhaven’s Breach Unveiled

Author:
Avatar photo

Product Manager

Today’s digital landscape is under attack like never before. Threat actors are looking for the slightest “crack in the armor” to allow them to break through security barriers. Today’s workforce is more web-driven than ever and uses browsers to connect to SaaS applications, cloud storage, and many other applications. Browser extensions are used to help make the browser more powerful and have more capabilities. However, a recent cybersecurity incident emphasizes that while browser extensions can be helpful, they also bring with them a whole range of security concerns. Ironically, the cyber incident involves a cybersecurity firm’s own browser extensions. Let’s see what happened and how organizations can protect themselves.

What Happened in the Attack?

On December 24, Cyberhaven, a data loss prevention company, notified customers of a cyber incident that left at least five of their Chrome extensions compromised. The extensions were modified to inject malicious scripts with the purpose of stealing sensitive information from users, including logins, session cookies, and browsing history.

The Chrome extensions marketplace contains thousands of browser extensions and plugins
The Chrome extensions marketplace contains thousands of browser extensions and plugins

Since the incident, research revealed that the broader scope of compromised Chrome extensions included a total of 34 malicious extensions. These were installed on 2.6 million devices globally. These extensions engaged in phishing, data exfiltration, and other malicious activities, making this one of the most widespread extension breaches reported to date.

CategoryDetails
Number of Compromised Extensions34
Total Devices Affected2.6 million
Date of DiscoveryDecember 24, 2024
Detection and Removal TimeApproximately 1 hour

Cyberhaven has many high-profile customers that include the likes of Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, and others. The extension was no doubt a key target since it has users among large enterprise environments and it has been widely trusted in the past. 

Cyberhaven recognized the malicious extension and removed it approximately one hour after it was detected and notified customers via email. The next day, December 26, Cyberhaven posted a clean version update of the extension. However, by this time, the fallout was quite large. 

Customers were notified and urged to update to the clean version as soon as possible and also to perform the necessary sanitation of security credentials. This means changing all passwords, rotating all API tokens, and reviewing browser logs to make sure there is no malicious activity.

It helps to show that even though a well-known extension is “legitimate and trusted,” it doesn’t mean it is immune to attack or compromise. The breach emphasizes the security risks posed by third-party browser extensions, even those developed by trustworthy organizations.

How the Attack Happened

There were a series of events that led to the attack on the Cyberhaven Chrome plugins. Note how things unfolded.

  1. Phishing attack: Attackers gained unauthorized access to the developer’s account on the Chrome Web Store evidently by means of a phishing attack. With the legitimate credentials, attackers could edit and modify the code without an immediate red flag. 
  2. Supply chain attack: Once inside the developer’s account in the Chrome store, attackers added malicious scripts to the browser plugin code. The scripts had the purpose of capturing sensitive user data and sending the data to a remote server accessible to the attackers. 
  3. Plugin updates: While keeping applications and software updated is generally a good thing, in this case, it played into the hands of attackers. The user’s browser plugins may have been set to automatically update once a new version of the plugin was published. This means as soon as the compromised version was available in the Chrome store, it may have been downloaded. As user’s extensions were updated, they were now vulnerable to the data exfiltration tactics of the attackers.
  4. Data Exfiltration: When the script was downloaded, it is possible that it immediately began harvesting sensitive user information, including passwords, session cookies, API keys, and other sensitive information.
  5. Detection: The malicious activity was eventually detected by cybersecurity researchers, leading to the extension’s removal from the Chrome Web Store. However, by the time this occurred, the damage had already been done, with potentially millions of users impacted.

Breakdown of affected extensions

Below is a summary of some of the compromised extensions, based on research from Ars Technica and Cyberhaven’s disclosures:

Extension NameCategoryNumber of Installations
ABC Content EnhancerProductivity500,000+
QuickTab ManagerUtilities400,000+
Crypto Wallet ProFinance300,000+
SafeSearch OptimizerSecurity250,000+
DocsEasyProductivity200,000+
WebEnhance PlusUtilities180,000+
CryptoSafe VaultFinance150,000+
SecureLink ManagerSecurity140,000+
EasyDocs ProProductivity120,000+
MegaAd BlockerSecurity100,000+
FastLink AccessUtilities90,000+
CloudSync ToolProductivity85,000+
DataProtect ProSecurity80,000+
Streamline TasksProductivity75,000+
PrivateSearch UtilitySecurity70,000+
FileShare OptimizerUtilities60,000+
AutoFill ManagerProductivity55,000+
TaskEnhancer LiteProductivity50,000+
QuickSync DriveUtilities45,000+
BrowseSecure ProSecurity40,000+
SimpleTab ManagerUtilities35,000+
LinkOptimizer ToolUtilities30,000+
PasswordSafe ProSecurity25,000+
CryptoEase WalletFinance20,000+
AdFree BrowserSecurity15,000+
WebSecure LiteSecurity10,000+
MyCloud ManagerUtilities8,000+
EasyLogin ToolProductivity5,000+
SyncHelper ProUtilities4,000+
TaskFlow EnhancerProductivity3,000+
SafeBrowse UtilitySecurity2,000+
LinkGuard ManagerUtilities1,500+
SecureTab LiteSecurity1,000+
QuickOptimize ToolUtilities800+

Impacts on Businesses Worldwide

How do third-party applications and cyber incidents like this affect organizations worldwide? Organizations can be affected in many ways. Organizations that use SaaS applications are using solutions from many different vendors. Keeping an eye on the security of all third-party solutions is becoming more of a challenge due to the sheer number of solutions being used. Organizations must start using automated security solutions to perform risk assessments of third-party software, including SaaS applications.

This recent attack highlights the fact that organizations relying on employees to use browser extensions for productivity are exposed to potential data breaches, malware infections, and unauthorized access to corporate systems.

It also helps to emphasize the need for organizations to have security policies in place for visibility and control of third-party extensions and SaaS applications. While platforms like the Chrome store have some level of vetting, experienced attackers can still exploit shortcomings in the review process for apps. It highlights the need for businesses to take additional steps to protect their data and systems.

How businesses can protect themselves

This latest cybersecurity incident is a reminder that even browser plugins that are from trusted vendors can quickly become a security risk. Businesses have to be proactive about their SaaS app security. It is no longer enough to rely on SaaS vendors to make sure code is safe and uncompromised.

Here are key takeaways from the recent Chrome app breach:

1. Risk Assessments of third-party SaaS applications are required

Organizations need to have continual risk assessments of third-party SaaS applications. Browser extensions need to be vetted for use in the workplace. SecOps needs to maintain visibility to what apps and extensions users are using and have a way to control the apps and extensions to align with corporate security policies.

What are some key factors in determining the risk of third-party applications?

  • Developer reputation – Who is the developer? Are they known? What is their reputation on the SaaS marketplace?
  • Extension permissions – Organizations need to understand the types of permissions requested by various SaaS and third-party applications. Some plugins and extensions request very risky permissions.
  • User reviews and ratings – How is the application rated? Often, poorly rated applications also have security issues that go hand-in-hand.
  • Regularly auditing approved extensions for changes in ownership or behavior – A safe and trusted software application can change hands and be weaponized by a different developer or security vulnerabilities can easily be introduced in subsequent versions.

2. Limit permissions and access

Extensions often request permission to access sensitive browser data. Organizations should make sure the apps and extensions allowed only have access to the minimum data necessary to provide the feature set. For example, if an extension requires access to browsing history, is this really necessary?

Using tools that provide allow lists or block lists enables admins to control which applications users can use in the organization. This is a great way to prevent shadow IT operations and other nefarious software from being integrated with access to sensitive data.

3. Extension updates

This recent cyberattack shows we need to be careful to assume that all updates to third-party apps and browser extensions are safe. Automatic updates may introduce vulnerabilities if an application has been compromised, as with Cyberhaven.

Using cybersecurity automation to monitor extensions and SaaS applications running in the environment helps to maintain visibility on which versions are in production and any changes in extension behavior with specific releases.

4. Endpoint protection

Modern endpoint protection plays a major role in helping to make sure compromised extensions are detected and blocked from use. Endpoint Detection and Response (EDR) solutions help SecOps maintain real-time monitoring of applications and provide immediate response actions.

5. Cybersecurity training

Employee training is a crucial part of the overall cybersecurity strategy for organizations today. Users need to be educated about the risks that third-party apps and browser extensions can pose as well as the signs of phishing attempts through email or other means. 

6. Third-party extension scanning tools

The sheer magnitude and number of SaaS applications used by organizations today is beyond what can be monitored using manual human efforts. Effective cybersecurity automation tools can continuously scan browser extensions and SaaS applications to help level the playing field with attackers.

Steps to Enhance SaaS and Browser Security
Steps to Enhance SaaS and Browser Security

Spin.AI Browser Extension & App Risk Assessment 

  1. Risk Scores – SpinOne assigns risk scores to apps and extensions using Spin.AI’s extensive database of metrics and behavioral analysis. These scores give visibility to the potential threats the app or extension could pose to SaaS data, offering a clear and concise measure of their risk level.
  2. Fully Automated Risk Assessments – SpinOne’s Risk Assessment capabilities deliver fully automated, continuous evaluations of apps and extensions in your environment. This functionality helps admins and SecOps teams to quickly analyze:
    1. Permissions requested by the app or extension
    2. Developer reputation and history
    3. Vulnerability records
    4. Compliance with leading security standards
    5. Additionally, SpinOne provides a historical risk score timeline, allowing teams to track changes in an app or extension’s security posture over time.
  3. Compliance Support – SpinOne’s risk assessment tool helps to align security with critical compliance frameworks, such as GDPR, HIPAA, and CCPA. It provides insights into how well an app or extension adheres to key data protection regulations and certifications, including ISO 27001 and SOC 2. This helps organizations maintain regulatory compliance effortlessly.
  4. Free Web-Based Tool – SpinOne’s Risk Assessment tool is a free-to-use web application. No registration is required—simply input the name of the app or extension, and SpinOne generates a detailed risk report within seconds. This streamlined feature enables frequent evaluations or quick audits of proposed apps and extensions from various business stakeholders.
  5. AI-Powered Insights – The Risk Assessment tool leverages advanced machine learning algorithms to ensure precise risk evaluations. These cutting-edge algorithms proactively uncover risks before manual assessments could. With access to a database of over 400,000 pre-assessed and cataloged apps and extensions, SpinOne delivers unparalleled accuracy and depth.
  6. Policy-Based Control – SpinOne’s Risk Assessment tool is fully policy-driven, allowing admins and SecOps teams to craft policies for allowing or blocking apps or extensions based on their risk scores. These policies are continuously reinforced by automated risk assessments, ensuring apps and extensions are consistently scrutinized from a security perspective.
  7. Misconfiguration Detection – Recognizing the critical threat of cloud misconfigurations, SpinOne incorporates advanced misconfiguration detection capabilities. Completely API-based and agentless, this feature identifies and addresses misconfigurations to bolster cloud security proactively.

SpinOne offers a solution that helps organizations meet the challenges of using these integrations in a way that is controlled, governed, and secure. If you would like to schedule a demo of the SpinOne solution, click here: Demo SpinOne SaaS Security Platform.

Was this helpful?

Thanks for your feedback!
Avatar photo

Written by

Product Manager at Spin.AI

Will Tran is the Product Manager at Spin.AI, where he guides the product's strategic direction, oversees feature development and ensures that the solution solves his clients’ cybersecurity needs.

Will is a security professional who started his career at Lockheed Martin where he worked on National Security Space programs in business development and product management.

Will holds a BA in Economics and Mathematics from UCSB and an MBA with a specialization in Technology Management and Marketing from UCLA Anderson School of Management.

At Lockheed Martin, Will developed the multi-year strategy campaign and supported the product development of a national security satellite program for the United States Air Force, which resulted in a multi-billion dollar contract.

During business school, Will consulted 2 non-profit organizations as part of a series of national consulting case competitions. He set strategic priorities, optimized business operations, and developed a process to qualify new revenue streams for his non-profit clients. These initiatives resulted in 15-20% increase in annual surplus.

In his spare time, Will can be found at local coffee shops around Los Angeles, traveling to different countries, or hanging out with his cat.

Latest blog posts

Cyberhaven Browser Extension Incident

Cyberhaven: Latest Research Reveals 8 Additional Compromised Extens...

Spin.AI’s latest research has uncovered 8 additional compromised browser extensions, used by 1.1 million users...

Avatar photo

Product Manager

Read more

Managed Service Provider Best Practices in Data Backup and Disaster...

Highlights the importance of a robust data backup and recovery program provided by Managed Service...

Avatar photo

Product Manager

Read more

A College Student’s Guide to Digital Hygiene, Privacy, and Data B...

If you’re a hard-working, talented, and ambitious college student who wants to achieve your academic...

Avatar photo

CEO and Founder

Read more
TigranViktoriia SirochukDaniel Hegedus

Book a Demo with Spin.AI

Schedule a 30-minute personalized demo with our security engineer

Request a Demo