Login data and chatGPT keys targeted: details of attack on Chrome extensions
The broad and elaborate supply chain attack on Chrome extension developers compromises login data and ChatGPT keys. Details are now emerging.
(Image: Wachiwit/Shutterstock.com)
A supply chain attack in the Chrome Web Store hit around thirty browser extensions in December and compromised the personal data of 2.6 million users. The security company Sekoia has now published further details, in particular about the infrastructure behind the attack.
The security company Annex published an initial analysis of the attack and a list of the affected extensionsat the beginning of January. The attack begins with targeted phishing emails to extension developers. The emails supposedly come from Google's web store team, and the attackers threaten that the extension will be removed from the store if the developers do not accept the program policy. A button leads to a malicious application that logs into the victim's Google account via OAuth. Once the perpetrators have access to the extension's source code, they add malicious sections that aim to capture victims' personal browsing data: social media logins (Facebook), API keys (ChatGPT), session cookies and more.
As soon as a user starts the extension in question, it carries out an update containing the malicious code by default.
Videos by heise
Sekoia has examined a total of a dozen infected samples that were online from December 12, 2024 (VPNCity) to December 30, 2024 (Proxy SwtichyOmega V3). Annex's list even goes back to July 2024 (HiAI), but the analysts suspect that the campaign has been active since 2023. The perpetrators appear to have stopped it at the end of December, and the effort and breadth of the targeted attacks was particularly striking. There were even extra advertising pages for the hijacked extensions in order to target as many users as possible.
Attack on the developers
The targeted phishing emails (spear phishing) contain the specific names of the extensions in the subject line. The sender addresses sound official: chromewebstore-noreply@chromeforextension.com and chromewebstore-noreply@supportchromestore.com. The "Go to Policy" button leads to a redirect page at https://app.checkpolicy.site/extension-privacy-policy?e=opfer@example.com or https://app.checkpolicy.site/accept-terms-policy?e=opfer@example.com.
(Image:Â Sekoia)
On a real Google page, the victims should then give the "Privacy Policy Extension" OAuth access to the Google account, in particular the "see, edit, update, or publish" authorization for the extension. From then on, the attackers can operate freely in the store and change code.
The perpetrators adapt the backgroud.js script there and add another one: context_responder.js. The background script generally serves as a central event handler for the entire extension in Chrome extensions. In the maliciously modified context, it implements handlers for contacting the command-and-control server (C2) and the servers from which access data is to be tapped, such as ChatGPT. The corresponding JSON configuration is as follows:
{
"code": 2000,
"graphqlnetworka": "https://chatgpt.com/api/*",
"graphqlnetworkb": "https://chatgpt.com/public-api/conversation_limit",
"graphqlnetworkc": "http://chatgpt.com",
"graphqlnetworkd": "sk-<OpenAI API Key>",
"graphqlnetworke": "backend-api/me",
"graphqlnetworkf": "https://chatgpt.com",
"graphqlnetworkg": "https://chatgpt.com/backend-api/compliance",
"graphqlnetworkh": "https://chatgpt.com/api/auth/session",
"graphqlnetworki": "auth",
"graphqlnetworkk": "https://chatgpt.com"
}The analysts assume that this configuration is used to steal the OpenAI key and login credentials.
The context responder script checks all URLs called to see whether they are listed in a configuration file(graphqlnetwork_ext_manage) in Chrome's local storage. If this is the case, it interacts with the background script to extract data. The scripts can presumably reload further configurations of the attackers via the handler for the C2 network.
Analysis of the C2 infrastructure
The attackers register a domain for each attacked extension, for example graphqlnetwork.pro for GraphQL Network Inspector. The domains have the following properties:
- Registrar: Namecheap
- Top-level domains: co, com, info, ink, io, live, net, pro, site
- Hosting provider: AS 20473 (Vultr)
- JARM fingerprint: 1dd40d40d00040d00042d43d000000e1ea2a807a629b496b664cf07ad7c08d
- DNS A-Record: TTL: 1799
All domains point to the IP addresses 149.28.124.84 or 45.76.225.148. The redirect from the phishing mail goes via app.checkpolicy.site(136.244.115.219). The analysts identified the following other active services on the servers:
- SSH on port 22
- HTTP on port 80 with the standard 404 response from Nginx
- HTTPS on port 443 with JARM fingerprint 1dd40d40d00040d00042d43d000000e1ea2a807a629b496b664cf07ad7c08d
- REDIS on port 6379
Sekoia identified thirty domains that matched these criteria. The stolen data sends the extensions to a subdomain app. (for example app.graphqlnetwork.pro) at 149.248.2.160. A MySQL service is still listening on port 3306, presumably to systematically collect the stolen data in a database.
(Image:Â Sekoia)
Find affected extensions
Chrome users are advised to update all extensions. All known extensions affected by the campaign can be found in the Annex and Sekoia lists. To be on the safe side, you can find unknown corrupted extensions by searching for the configuration file in the browser's local storage for *_ext_manage or by checking whether communication with the C2 servers is being attempted(149.28.124.84 and 45.76.225.148).
Those affected should quickly delete cookies and change passwords and keys.
(who)
