View attachment 34583
The cybersecurity company Cyberhaven, whose extension was compromised, disclosed some information regarding the incident throughout the course of the weekend.
During the month of this month, it was revealed that hackers were able to replace many Chrome extensions with harmful code after gaining access to admin accounts through a phishing effort. In an attack that appeared to be "targeting logins to specific social media advertising and AI platforms," the Chrome extension maintained by Cyberhaven was compromised on December 24. This information was disclosed by the cybersecurity company Cyberhaven in a blog post that was published over the weekend. The news agency Reuters stated that a few other extensions were also affected, dating back to the middle of December. ParrotTalks, Uvoice, and VPNCity are all included in this category, as stated by Jaime Blasco of Nudge Security.A notification was sent to Cyberhaven's customers on December 26 in an email that TechCrunch was able to view. The communication advised the customers to deactivate and rotate their passwords and other related credentials. According to the findings of the initial investigation conducted by the firm into the event, the malicious extension targeted users of Facebook Ads with the intention of collecting data such as access tokens, user IDs, and other account information, in addition to cookies. Additionally, a mouse click listener was included in the code. According to the findings of Cyberhaven's investigation, "the Facebook user ID is saved to browser storage after successfully sending all of the data to the [Command & Control] server." After that, the user ID is utilized in mouse click events to provide attackers with two-factor authentication on their end, in the case that it was required.
According to Cyberhaven, the company discovered the security flaw for the first time on December 25 and was able to uninstall the malicious version of the extension within an hour. An updated version has been made available since then.
