Phishy Business: Chrome Extensions Hijacked in Sneaky OAuth Scam
A deceptive phishing campaign targeted Chrome extension developers, leading to the compromise of at least 35 extensions, including those from Cyberhaven. Attackers used malicious OAuth applications to inject data-stealing code, particularly targeting Facebook accounts. This cyber plot unfolded like a bad crime movie, but with fewer car chases and more stolen Facebook IDs.
Hot Take:
Looks like Chrome extension developers might need to hit the gym because they just got phished and hooked by some slick cybercriminals. This is why you should always read the fine print and avoid clicking on that tempting ‘Go To Policy’ button like it’s a surprise party invite from your least favorite coworker. Consider this a PSA: when in doubt, just say no to OAuth!
Key Points:
- At least 35 Chrome extensions were compromised through a phishing campaign targeting developers.
- The attack involved a deceptive OAuth attack chain masquerading as a Google policy violation email.
- Malicious code was injected into extensions, targeting Facebook business accounts specifically.
- The phishing campaign was traced back to March 2024, although major activity was noted in December 2024.
- Multi-factor authentication did not prevent the attack due to inherent OAuth authorization weaknesses.
Already a member? Log in here