Chrome extension vulnerabilities leave millions at risk of 2FA bypass attacks, with hackers targeting multiple companies. (Shutterstock)
Share
Getting your Trinity Audio player ready...
|
Google Chrome users face potential security risks as hackers target browser extensions to bypass two-factor authentication (2FA), as reported by Forbes.
The attacks, which began in mid-December, have compromised several companies’ Chrome extensions, potentially affecting millions of users.
Christmas Eve Attack
One notable incident involved Cyberhaven, a data attack detection company.
On Christmas Eve, a phishing attack compromised an employee’s credentials, allowing hackers to publish a malicious version of their Chrome extension. Cyberhaven CEO Howard Ting stated, “We want to share the full details of the incident and steps we’re taking to protect our customers and mitigate any damage.”
The attack bypassed 2FA by capturing session cookies, which authenticate user sessions. This method allows attackers to reuse the stolen cookies and access accounts without needing the 2FA code.
Related Story: Quantum Computing Inches Closer to Reality After Another Google Breakthrough
Google’s Recommendations to Mitigate Risks
To mitigate risks, Google recommends using passkeys and security keys. Vivek Ramachandran, founder of SquareX, suggests implementing server-side restrictions on risky OAuth scopes and using client-side Browser Detection-Response tools.
Google’s Chrome security team employs both automated and manual reviews to check extensions before publication on the Chrome Web Store. They also continuously monitor published extensions. Despite these efforts, some malicious extensions still slip through.
Users can protect themselves by:
1. Checking installed extensions at “chrome://extensions”
2. Running a Chrome Safety Check
3. Enabling enhanced protection mode in Safe Browsing
According to a Google spokesperson, “Google research has shown that security keys provide stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.”
Read more at Forbes
RELATED TOPICS:
Were Cuts in Rooftop Solar Payments Legal? CA Supreme Court Hears Arguments
3 hours ago
Biden’s IRS Doubled Audits on the Wealthy, Data Shows
4 hours ago
Supreme Court Rules Catholic Charity Exempt From State Unemployment Taxes
5 hours ago
Valley Crime Stoppers’ Most Wanted Person of the Day: Fermin Solorzano
5 hours ago
Supreme Court Rejects Mexico’s $10B Gun Lawsuit Against American Gun Manufacturers
5 hours ago
Fresno Police Want Your Tips to Solve Taylor Washington Homicide
1 hour ago
Categories

Fresno Police Want Your Tips to Solve Taylor Washington Homicide

Derek Carr Explains Mysterious Retirement. He Didn’t Want to ‘Just Take the Saints’ Money’

Were Cuts in Rooftop Solar Payments Legal? CA Supreme Court Hears Arguments

Biden’s IRS Doubled Audits on the Wealthy, Data Shows
