A sophisticated phishing campaign has successfully compromised at least 36 Chrome browser extensions, potentially exposing over 2.6 million users to data theft. Security researchers have uncovered a meticulously planned attack targeting extension developers through an elaborate OAuth-based social engineering scheme.
Sophisticated OAuth Phishing Operation Unveiled
The attackers orchestrated a complex social engineering campaign by impersonating Google’s official communications. They deployed convincing phishing emails warning developers about alleged Chrome Web Store policy violations, utilizing carefully crafted domains such as supportchromestore[.]com and forextensions[.]com to establish legitimacy. This strategic approach exploited developers’ natural concerns about their extensions’ status in the Chrome Web Store.
Technical Analysis of the Attack Vector
What makes this attack particularly noteworthy is its exploitation of legitimate OAuth authentication workflows. Victims were directed to authentic Google authorization pages, where a malicious application labeled Privacy Policy Extension requested permissions to manage their extensions. The attack’s sophistication lies in its ability to bypass multi-factor authentication (MFA) protections, as OAuth authorization processes typically don’t require additional verification steps.
Impact and Data Exfiltration Mechanisms
Upon gaining access, the threat actors injected malicious components (worker.js and content.js) into the compromised extensions. These modifications enabled the collection of sensitive user data, with a specific focus on social media platform credentials and business account information. The targeted data includes:
- User authentication tokens
- Business account credentials
- Two-factor authentication QR codes
- Advertising account information
Timeline and Attack Scope
The campaign’s preparation phase began in March 2024, with the registration of malicious domains. The active exploitation phase launched on December 5, 2024, demonstrating the attackers’ patient and methodical approach. While 36 extensions have been confirmed as compromised, security researchers suggest the actual impact could be substantially larger.
This incident highlights critical vulnerabilities in the browser extension ecosystem and emphasizes the need for enhanced security measures. Extension developers should implement strict code signing procedures, regularly audit OAuth permissions, and establish secure update verification protocols. Users are advised to regularly review their installed extensions and their granted permissions, while organizations should consider implementing additional security controls for browser extension management in corporate environments.
