PSA: 4.8 Million Affected by Chrome Extension Attacks Targeting Site Owners

This is a public service announcement from the Wordfence team regarding a security issue that has a wide impact. During the past 3 months, eight Chrome browser extensions were compromised and the attacker used them to steal Cloudflare credentials and serve up malicious ads.

This post discusses exactly what happened, how to protect yourself and what the wider implications are of this supply chain attack.

How the Chrome Extensions Were Compromised

In June, July and August, developers of the following Chrome extensions had their login credentials stolen through a phishing attack. The extensions affected are:

  • Web Developer – Versions 0.4.9 affected
  • Chrometana – Version 1.1.3 affected
  • Infinity New Tab – Version 3.12.3 affected
  • CopyFish  – Version 2.8.5 affected
  • Web Paint – Version 1.2.1 affected
  • Social Fixer 20.1.1 affected
  • TouchVPN appears to have been affected but the version is unclear
  • Betternet VPN also appears to have been affected but no version was provided

Based on total installs for these extensions, the attackers targeted a total of 4.8 million users. The developers of these Chrome extensions all had their account credentials compromised. They received an email that looked like this:

The link in the email used the bit.ly URL shortener to redirect the developer to a fake login page which harvested their credentials and allowed the malicious actor to take control of the chrome extension developer’s account.

How the Attackers Modified Affected Chrome Extensions

Once the attackers had access to modify the code in these Chrome extensions and release new code, they made a change that injected their own malicious Javascript into the extensions. The new code looked like this:

The code injects Javascript from the attacker’s own domain into the victim’s browser. The victim here is someone who is using the Chrome web browser and has one of these extensions installed.

This allows an attacker to perform any action as the victim. This includes accessing any website the victim is signed into and modifying the content of any web page that the victim views. Once an attacker has control of one of your Chrome extensions, they own your web browser.

How Cloudflare Credentials Were Stolen

Once a victim installed a compromised Chrome extension, the extension would steal Cloudflare credentials if the victim has a Cloudflare account. The extension did this by making a request to a URL on Cloudflare to get an API key.

Once the attacker’s compromised extension gets the API key, it sends that and the user email to the attacker website. The code that does this is shown below:

Why Cloudflare Credentials Were Stolen

Once the attacker has a site owner’s Cloudflare credentials, they can perform a variety of malicious actions. This includes modifying a website’s DNS entry to point the site at the attacker’s own server. The API call they would make to do this is the “Update DNS record” function in the Cloudflare API.

This is an example request showing how the user email and API key is used in Curl from the command line to update a DNS record:

At this time we have no reports of websites having their traffic redirected by the attacker. They may have collected credentials for a future attack.

Attackers Engaged in Malvertising

In addition to stealing Cloudflare credentials, the attackers engaged in ‘malvertising’. The malicious Chrome extension code served up ads belonging to the attacker.

They did this by hijacking ads from well known ad networks and replacing those ads with their own ads. Most of the substitutions occurred for ads being served from adult websites.

Many of the ads were a fake alert telling the browser owner they need to repair their PC. They were then redirected to an affiliate program which the attacker profited from.

How to Protect Yourself

1. Even the Pros get Phished

Lesson number one from this attack is that, as we have reported in the past, even those of us who are seasoned online professionals can fall victim to a phishing or spear phishing attack. Make absolutely sure that if you receive an email, you verify the origin and think before you click or download.

  1. Never click on a link if you don’t recognize a sender.
  2. Never click a link in an email and sign in to a service. Instead, if you are presented with a sign-in page, go back to the email and look at the email sender including their domain and look at the URL of the link you clicked very carefully.
  3. Never download an attachment in an email and open it unless you verify the sender. Even then, considering asking your sender to use a service like Google Docs that doesn’t require you to download attachments.

2. Get rid of browser extensions you don’t need

Lesson two is that browser extensions sometimes get hacked. When they do, it can be a catastrophe for you. If you don’t absolutely have to have a browser extension, get rid of it.

Alternatively, deactivate extensions until you need them. Then activate them, use the extension and deactivate it again. This isn’t ideal, but it will reduce your risk if an extension is compromised for a few days.

That screenshot utility? If you don’t use it daily, dump it. That quote-of-the-day extension? Ditch it if you don’t need it.

In 2010, Chrome hit 10,000 extensions. Today, 7 years later, they probably have well over 100,000 extensions available for the Chrome browser. That many extensions create a large attack surface for malicious actors. Make sure you minimize your risk by removing those you don’t use.

Supply Chain Attacks on the Rise

The NotPetya ransomware attacks we reported on recently started with an accounting firm in Ukraine, a company called M.E. Doc, having their software distribution system compromised. This allowed an attacker to distribute ransomware out to customers of M.E. Doc.

This kind of attack is known as a supply chain attack – when an attacker targets an upstream provider of hardware or software, compromises their systems, and infects their customers.

This attack on the developers of Chrome Extensions is another example of a supply chain attack in action.

If you are a developer, it is important to be aware that as these attacks become more popular, you are more likely to be targeted because you are a gateway to infecting a much larger group of people: your customers.

Attacks targeting site owners are also a supply chain attack. You supply your large audience with content. By controlling your website and serving up a browser exploit, an attacker can take control of a large number of workstations in a single attack.

As site owners it is our responsibility to be more cautious than most when it comes to our security. We have an obligation to our customers and site visitors to stay secure.

Sources

Thanks to Risky Biz and Pat Gray who alerted me to this attack on his podcast this morning. We’re a sponsor of Risky Biz which is an awesome security podcast that I highly recommend you subscribe to if you are in the security industry.

Also thanks to Catalin Cimpanu over at Bleeping Computer who reported on this yesterday. As always doing a great job.

And then Kafeine at Proofpoint has covered this story in detail. I have borrowed images in the post above from Proofpoint, so thanks to them for that and the excellent research.

And PhishMe has written about how the Chrome Extension authors were phished. (Nice booth at Black Hat guys! We paid you a visit while our team was there last month.)

Share To Help Secure Our Community

If you are a website owner, please share this public service announcement with your community to help create awareness of these kinds of supply chain attacks that target developers and website owners.

Did you enjoy this post? Share it!

Comments

27 Comments
  • Is there reason to believe that anything other than Cloudflare credentials may have been stolen?

    In other words, if I poll my employees to find out if any of them have these extensions installed, and it turns out they do, then what do I need to do other than rotate all our Cloudflare credentials if the employee(s) who had these extensions had access to our Cloudflare account?

    • If they have one of these installed and had it installed while it was compromised, then all bets are off. You need to do global password changes for that user along with revoking any keys that user may have and issuing new ones.

  • If seasoned pros are falling for this kind of phishing, what are we greenhorns supposed to do... I will have to worry about every email coming from one of my banks, service providers or online accounts... Is there any way to protect myself from all these attacks, any comprehensive security suite etc.

    • See above for my advice to avoid this kind of attack. Good security hygiene, education and relying on great security vendors is the way to go in my opinion.

  • We still use Opera browser for 95% of all our web browsing needs.Simply unbeatable in terms of security.

  • For those of us that used one of these extensions what should we do to protect our Cloudflare accounts now?

    • Immediately change your password on CF and contact them to find out how to invalidate an API key. Or check their docs. It's the API key an attacker will use to make changes.

      • Cloudflare users can simply log in to their dashboard and change their API under the "My Profile" tab -- it's a one-click process. It's on the same page that they would use to change their password as well.

        • Thanks Abigail!

  • Back in February or early April, I noticed something odd going on with one of the sites I maintain that was using Cloudflare. I spotted the activity as I read through the list of live traffic events via the WordFence dashboard. I had recently installed WordFence on all the sites I manage after one of them was hacked.
    I reported this to Cloudflare and to WordFence. CloudFlare blew me off. Wordfence did get back to me, but the tech who did, didn't seem to grasp what I was trying to show them. At any rate, the activity had not penetrated my firewall and I reluctantly moved on. If I can find the email thread from that incident, I will pass it along. This was shortly after the news reports that CloudFlare accounts had been compromised. It seemed clear to me, that there was more going on beyond what had been discovered and now I suspect that this was it. If I am correct, then this began several months sooner than is being reported.

    • Hi Michael. Our folks are quite responsive and all are technical. Sorry to hear you didn't get the analysis you were after. Drop us a line again in the ticketing system and I'll give the team a heads up to expect you.

      Mark.

      • Okay, I found the emails and I will pass them along. I hope they will be of some use.

        • Thanks.

  • Always hover above the link to check it and make sure it goes to a domain you know is valid for that sender.

    • Agreed Kevin,

      I treat every email as suspsect, regardless of who it's from, and always hover over a link, 1'st. If I'm still not 100%, I'll pull the raw headers, just to make sure.

      Can't be too paranoid, these days!

    • That is generally a good idea, but it is possible to mask the link with javascript and make the link that appears when you hover say anything you want. I used to do this with affiliate links in so that it just shows the main domain and stripped out the affiliate details so people would follow the link.

      Don't do it any more though as it is bad practice.

  • I always find a good dollop of common sense always helps in these situations.

  • Still amazes me how stupid these developers were not having 2fa, either yubikey or google authenticator attached to their accounts, I have been watching this unfold for 4 months now in the chrome dev forums. Our extension is just about to be released we already have yubikey and authenticator on, you need both to log in, I know of another extension that has been compromised that has 800k users. as he didn't have 2fa on hahaha , I'm not a dev but its basic common sense as far as I am concerned, secure your login stops 99% of problems. The other issue is devs have been telling me they are not getting responses form google or chromium to rectify this either, there not getting there credential reset so they can log in and remove the injected codebase, the hackers were changing ownership details of the accounts so the dev cant gain access, I hope google or chromium is on top of this now.

  • If I had one of those extensions but was deactivated, did I have any risks and need to change all of my passwords? I used chrome as one of my main browsers and now I'm worried. The extension has been deactivated practically since I installed it, I didn't use it but had as one of those "just in case" things.

    I did not notice anything regarding ads or weird redirects.

    • If it was deactivated the whole time, you should be fine. I might change my passwords and lock everything down just to be safe.

      • Thank you, and thanks for making everyone aware of this

  • How about not using Chrome until Google commits to fixing their extension system? Firefox addons are much more trustworthy since Mozilla reviews them before publication.

  • Thanks a lot for this. I had CopyCat installed and I had uninstalled it a few weeks ago after discovering it injected some popup script on web pages, but I didn't know it also stole CF credentials!

  • Usually if I get an email that asks me to login to view more, I ignore the link and go to the site directly via the browser using the address that i'm familiar with. its just that extra bit of caution.

  • I've maintained - and happily pay for - my WordFence Premium long after I stopped using WordPress because I find your service and your blog to be important. I like being aware of the threats out there. No place does this as well as WordFence. This PSA blog on the Chrome extensions attack is an excellent example of your value. Thanks!

  • As always, thanks for all you do, Mark (and Wordfence team). Will be making sure my clients are also aware.

  • Great advice! Thank you!