Malicious Chrome Extensions Steal HR Platform Credentials

A concerning campaign of malicious Chrome extensions has been uncovered, specifically designed to compromise enterprise human resources and enterprise resource planning platforms. Cybersecurity researchers identified a coordinated set of add-ons on the Chrome Web Store that, while disguised as legitimate productivity and security tools, were actively stealing login credentials and sabotaging security management functions. This threat highlights the significant risk posed by seemingly benign browser extensions, especially those requesting broad permissions for enterprise software integrations.

The investigation revealed five distinct extensions targeting major platforms including Workday, NetSuite, and SAP SuccessFactors. Although the collective installation count was relatively low at around 2,300 users, the potential impact is severe. The theft of enterprise authentication credentials could serve as a direct gateway for large-scale ransomware deployments and massive data exfiltration attacks. The extensions shared critical similarities in their code structure, attack patterns, and the infrastructure they used, strongly suggesting a single, coordinated operation behind multiple fake developer identities.

These add-ons were cleverly marketed to users of specific business software. They promised enhanced productivity, streamlined workflows for managing multiple accounts, and even improved security controls. One extension, installed about a thousand times, advertised itself as a dashboard for bulk management tools. Another claimed to restrict access to sensitive administrative features to prevent account compromise. Their listings requested permissions that appeared consistent with legitimate enterprise tools, but their privacy policies failed to disclose the true nature of their data collection.

Behind this facade, the extensions executed a trio of malicious actions. First, they engaged in continuous authentication cookie theft. Specific cookies containing active login session tokens for the targeted platforms were harvested every minute and sent to remote servers controlled by the attackers. This allowed the threat actors to maintain persistent access to accounts, even after a legitimate user logged out.

Second, several extensions actively blocked access to critical security administration pages within platforms like Workday. Using page title detection, the malicious code would either wipe the content from these pages or redirect administrators away from them entirely. The targeted pages covered vital functions such as authentication policy management, security proxy configuration, IP range controls, and audit logs. This obstruction could effectively prevent IT and security teams from responding to an ongoing incident, even if they detected suspicious activity.

The most aggressive extension incorporated a feature for bidirectional cookie manipulation. Not only did it steal session tokens, but it could also receive stolen cookies from the attacker’s server and inject them directly into a user’s browser. This capability enabled immediate and seamless account takeover, bypassing usernames, passwords, and multi-factor authentication entirely by hijacking an already authenticated session.

The researchers responsible for this discovery have reported the extensions to Google, and the add-ons have subsequently been removed from the Web Store. Any individual or organization that had installed these tools should immediately notify their security administrators for further investigation. It is also critically important to change passwords and review account activity on all potentially affected enterprise platforms.

(Source: Bleeping Computer)