Chrome Extensions Threaten HR Platforms by Stealing Credentials
The emergence of malicious Chrome extensions poses a significant threat to enterprise HR platforms. Cybersecurity firm Socket recently uncovered a campaign targeting popular systems such as Workday, NetSuite, and SAP SuccessFactors. These extensions, disguised as productivity tools, were found to steal authentication credentials and obstruct access to essential security management pages.
Malicious Chrome Extensions Identified
Socket identified five harmful Chrome extensions, which were collectively installed over 2,300 times. Despite being released under different names, these extensions share a similar framework and targets, hinting at a coordinated effort. Four of them were published by a developer named databycloud1104, while the fifth operated under the name Software Access.
Types of Attacks
The campaign employs three distinct attack methods:
- Cookie exfiltration to remote servers
- DOM manipulation that blocks security administration pages
- Bidirectional cookie injection for session hijacking
These strategies enable attackers to compromise accounts without the need for user credentials. The extensions marketed themselves as productivity enhancers or security improvements, misleading enterprise users.
Extension Features and Claims
Among the extensions, Data By Cloud 2 gained notable traction, with around 1,000 installations. It falsely claimed to offer bulk management tools for users handling multiple accounts. Another extension, Tool Access 11, promoted features aimed at securing sensitive administrative functions.
Malicious Behaviors Uncovered
Socket’s analysis revealed several malicious behaviors, including:
- Extraction of authentication cookies named “__session” every 60 seconds
- Blocking access to security and incident response pages
- Session hijacking through cookie injection
The stolen cookies, which contain active login tokens, were sent to remote servers, maintaining unauthorized access even after user logouts.
Impact on Security
The blocked security pages included critical administrative functions, such as managing authentication policies and two-factor authentication settings. This interference could severely hinder legitimate responses to detected security incidents.
Of particular concern, the Software Access extension also allowed bidirectional cookie manipulation. This capability lets attackers inject stolen cookies back into the browser, facilitating immediate account takeovers across targeted systems.
Remediation Steps
Following the investigation, Socket reported the harmful extensions to Google. As of now, they appear to have been removed from the Chrome Web Store. Users who have installed these extensions should notify their security administrators promptly and change their passwords on the affected platforms.
This incident underscores the urgent need for vigilance when incorporating browser extensions, particularly those presented as productivity or security tools for enterprise applications. Enhanced scrutiny could mitigate risks in an environment increasingly targeted by cybercriminals.
