“Data-loss prevention startup Cyberhaven says hackers published a malicious update to its Chrome extension that was capable of stealing customer passwords and session tokens”
Big Oof. That’s a tough statement to read for a cybersecurity vendor. A data loss prevention vendor being the source of the leak? There are a ton of details worth going into here though.
First off, I’m giving Cyberhaven a 10/10 on the breach response here. They detected it quickly, pulled it down quickly, and have been very transparent during the whole process – all the most important things you want to see in incident response from one of your third parties.
The benefit of reporting on this now, a few weeks later (it happened on Christmas Eve/Day, because attackers are jerks like that), is that we now know that Cyberhaven’s chrome extension was just one of 36 extensions that were successfully hacked, all using the same phishing tactics. It’s the details of these tactics that get really concerning.
- The phish: sent to extension maintainers, the email created a sense of urgency by suggesting the extension didn’t meet Google’s policies and was at risk of getting pulled.
- The trap: clicking “Go To Policy” takes the target to a legitimate Google auth page, but for the attacker’s OAuth app, nefariously named, “Privacy Policy Extension”. The target thinks they’re accepting a new Google policy, when they’re actually delegating control of their extensions to the attackers.
- The kicker: “direct approvals in OAuth authorization flows” don’t require MFA.
In Cyberhaven’s post mortem there’s another painful statement: “The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive an MFA prompt. The employee’s Google credentials were not compromised.”
Big Oof.
