网络安全工具成了恶意软件的载体?
当网络安全公司反而成为恶意软件传播工具时,会引发怎样的风波?这并非耸人听闻,而是Cyberhaven的真实遭遇——其一款Chrome扩展程序感染恶意代码,波及了超过40万名用户。
恶意代码潜入网络安全公司
事件源于一次精心策划的钓鱼攻击。Cyberhaven是一家专注于数据丢失预防(DLP)技术的初创公司,致力于阻止用户在未经授权的平台(如ChatGPT和Facebook)泄露敏感信息。凭借其创新产品,该公司刚刚完成了一轮8800万美元的融资,风头正劲。
然而,就在平安夜当天,Cyberhaven的管理员收到一封令人不安的电子邮件。这封邮件假冒Google官方,以违反政策为由威胁要将其Chrome扩展程序从Chrome Web Store下架。这种下架对任何依赖浏览器插件的安全公司而言都是致命打击。邮件诱导管理员点击链接并授予“Privacy Policy Extension”应用权限,殊不知,这个看似无害的OAuth应用实则是攻击者掌控的工具。
邮件截图
权限劫持与恶意版本发布
通过诱骗管理员授权,攻击者获得了上传新版本扩展程序的权限。不久后,一个植入了恶意代码的新版本被悄然发布。尽管Google宣称对上传至商店的每个版本进行安全检查和扫描,但浏览器扩展安装后的自动更新机制让恶意版本迅速传播。
多款插件受影响,威胁范围广泛
不仅Cyberhaven受害,分析显示攻击者还锁定了其他热门插件,包括Proxy SwitchyOmega (V3)等,波及用户总数高达50万。恶意扩展版本会试图读取用户上传的浏览器Cookie和密码等敏感信息,直接危及用户隐私和账户安全。
受影响插件
- YesCaptcha assistant 🔴 Not yet addressed
- Bookmark Favicon Changer 🟢 Addressed in 5.1
- Proxy SwitchyOmega (V3) 🔴 Not yet addressed
- GraphQL Network Inspector 🟢 Addressed in 2.22.7
- AI Assistant 🟢 Removed from store
bibjgkidgpfbblifamdlkdlhgihmfohh
- Bard AI chat 🟢 Removed from store
pkgciiiancapdlpcbppfkmeaieppikkk
- ChatGPT for Google Meet 🟢 Removed from store
epdjhgbipjpbbhoccdeipghoihibnfja
- Search Copilot AI Assistant for Chrome 🟢 Removed from store
bbdnohkpnbkdkmnkddobeafboooinpla
- TinaMind 🟢 Addressed in 2.14.0
befflofjcniongenjmbkgkoljhgliihe
- Wayin AI 🟢 Addressed in 0.0.11
cedgndijpacnfbdggppddacngjfdkaca
- VPNCity 🔴 Not yet addressed
nnpnnpemnckcfdebeekibpiijlicmpom
- Internxt VPN 🟢 Addressed in 1.2.0
dpggmcodlahmljkhlmpgpdcffdaoccni
- Vidnoz Flex 🟢 Removed from store
cplhlgabfijoiabgkigdafklbhhdkahj
- VidHelper 🔴 Not yet addressed
egmennebgadmncfjafcemlecimkepcle
- Castorus 🟢 Addressed in 4.41
mnhffkhmpnefgklngfmlndmkimimbphc
- Uvoice 🔴 Not yet addressed
oaikpkmjciadfpddlpjjdapglcihgdle
- Reader Mode 🔴 Not yet addressed
fbmlcbhdmilaggedifpihjgkkmdgeljh
- ParrotTalks 🔴 Not yet addressed
kkodiihpgodmdankclfibbiphjkfdenh
- Primus 🟢 Addressed in 3.20.0
oeiomhmbaapihbilkfkhmlajkeegnjhe
- Keyboard History Recorder 🔴 Not yet addressed
igbodamhgjohafcenbcljfegbipdfjpk
- ChatGPT Assistant 🔴 Not yet addressed
bgejafhieobnfpjlpcjjggoboebonfcg
- Reader Mode 🟢 Removed from store
llimhhconnjiflfimocjggfjdlmlhblm
- Visual Effects for Google Meet 🟢 Addressed in 3.2.4
hodiladlefdpcbemnbbcpclbmknkiaem
- AI Shop Buddy 🔴 Not yet addressed
epikoohpebngmakjinphfiagogjcnddm
- Cyberhaven V3 Security Extension 🟢 Addressed
pajkjnmeojmbapicmbpliphjmcekeaac
- Earny 🔴 Not yet addressed
ogbhbgkiojdollpjbhbamafmedkeockb
- Rewards Search Automator 🔴 Not yet addressed
eanofdhdfbcalhflpbdipkjjkoimeeod
- Tackker 🟢 Addressed
ekpkdmohpdnebfedjjfklhpefgpgaaji
- Sort By 🔴 Not yet addressed
miglaibdlgminlepgeifekifakochlka
- Email Hunter 🔴 Not yet addressed
mbindhfolmpijhodmgkloeeppmkhpmhc
- ChatGPT Quick Access 🟢 Removed from store
didhgeamncokiaegffipckhhcpnmlcbl
- Web Mirror 🔴 Not yet addressed
eaijffijbobmnonfhilihbejadplhddo
- ChatGPT App 🔴 Not yet addressed
lbneaaedflankmgmfbmaplggbmjjmbae
- Hi AI 🔴 Not yet addressed
hmiaoahjllhfgebflooeeefeiafpkfde
- Web3Password Manager 🔴 Not yet addressed
pdkmmfdfggfpibdjbbghggcllhhainjo
- Where is Cookie? 🔴 Not yet addressed
emedckhdnioeieppmeojgegjfkhdlaeo
原文始发于微信公众号(Secu的矛与盾):不妙,中招了【被供应链攻击的多个浏览器插件】,包含Proxy SwitchyOmega (V3)快看看你有没有中招!!!
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论