Chrome extension vulnerabilities leave millions at risk of 2FA bypass attacks, with hackers targeting multiple companies. (Shutterstock)
Share
Getting your Trinity Audio player ready...
|
Google Chrome users face potential security risks as hackers target browser extensions to bypass two-factor authentication (2FA), as reported by Forbes.
The attacks, which began in mid-December, have compromised several companies’ Chrome extensions, potentially affecting millions of users.
Christmas Eve Attack
One notable incident involved Cyberhaven, a data attack detection company.
On Christmas Eve, a phishing attack compromised an employee’s credentials, allowing hackers to publish a malicious version of their Chrome extension. Cyberhaven CEO Howard Ting stated, “We want to share the full details of the incident and steps we’re taking to protect our customers and mitigate any damage.”
The attack bypassed 2FA by capturing session cookies, which authenticate user sessions. This method allows attackers to reuse the stolen cookies and access accounts without needing the 2FA code.
Related Story: Quantum Computing Inches Closer to Reality After Another Google Breakthrough
Google’s Recommendations to Mitigate Risks
To mitigate risks, Google recommends using passkeys and security keys. Vivek Ramachandran, founder of SquareX, suggests implementing server-side restrictions on risky OAuth scopes and using client-side Browser Detection-Response tools.
Google’s Chrome security team employs both automated and manual reviews to check extensions before publication on the Chrome Web Store. They also continuously monitor published extensions. Despite these efforts, some malicious extensions still slip through.
Users can protect themselves by:
1. Checking installed extensions at “chrome://extensions”
2. Running a Chrome Safety Check
3. Enabling enhanced protection mode in Safe Browsing
According to a Google spokesperson, “Google research has shown that security keys provide stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.”
Read more at Forbes
RELATED TOPICS:
Trump Says Netanyahu’s Trial Should Be Canceled
12 hours ago
Trump Signals US May Ease Iran Oil Sanction Enforcement to Help Rebuild Country
13 hours ago
CIA Says Intelligence Indicates Iran’s Nuclear Program Severely Damaged
13 hours ago
Upscale Woodward Park Area Apartments Sell for $19 Million
15 hours ago
Trump Administration Orders CA to Strip Trans Athlete of Medals
15 hours ago
Three Mile Island Nuclear Plant Reboot Fast-Tracked to 2027
15 hours ago
Democratic Lawmaker Pleads Not Guilty to Assaulting US Agents at Immigration Center
15 hours ago

Israeli Settlers Raid West Bank Town, Troops Kill 3 Palestinians

West Nile Virus Detected in Mosquitoes in Fresno County

Trump Says Netanyahu’s Trial Should Be Canceled

Trump Signals US May Ease Iran Oil Sanction Enforcement to Help Rebuild Country

CIA Says Intelligence Indicates Iran’s Nuclear Program Severely Damaged
