SaaS OAuth Attack Leads to Widespread Browser Extension Breach

A recent large-scale attack campaign targeting Google Chrome extensions, affecting up to 2.6 million users, underscores the urgent need for businesses to prioritize SaaS security, monitor OAuth tokens, and evaluate third-party integration risks.

What Happened?

A widespread attack compromised at least 35 Chrome browser extensions, including that of Cyberhaven, a cybersecurity company, exposing users to data theft and credential exfiltration. Key details include:

• Cyberhaven Incident: Hackers compromised Cyberhaven’s Chrome Web Store admin account to publish a malicious update. This update enabled attackers to exfiltrate sensitive data, such as session tokens and cookies. Cyberhaven’s disclosure provides additional insights into their response and ongoing security efforts.
• Consent Phishing Campaign: Attackers deployed consent phishing tactics, tricking users into granting permissions to a malicious OAuth application disguised as a legitimate "Privacy Policy Extension."
• Malicious Code Activity: The compromised extensions targeted sensitive data, including corporate credentials and Facebook Ads account information, through hidden code.
• AI Tools As An Attack Vector: Extensions like “AI Assistant - ChatGPT” and “GPT 4 Summary” were compromised, illustrating how attackers leveraged transitive trust to exploit high-privilege third-party integrations, including GenAI tools.

Understanding Consent Phishing

Consent phishing exploits OAuth consent flows, manipulating users into granting permissions to malicious applications without requiring credential theft. Here’s how it works:

1. The attacker presents a legitimate-looking email with a link requesting consent to an OAuth application. In this case the email was posing to be from Google Chrome Web Store Developer Support.
2. The OAuth application consent link requests access to the user’s permissions, such as the Google Chrome Web Store.
3. By clicking "Allow," users unknowingly grant the attacker access to sensitive data or system APIs.

Unlike traditional phishing, consent phishing bypasses multifactor authentication (MFA) because it doesn’t request credentials. Instead, users are duped into approving access without realizing the implications. The method exploits both user trust in application authentication (including OAuth) as well as their readiness to click “Accept” without reading the permissions being granted. Once permissions are granted, attackers can:

• Access APIs and exfiltrate data
• Impersonate users within SaaS (and other) applications 
• Bypass security controls without raising alarms

Supply Chain Attacks via Browser Extensions

The breach highlights how browser extensions can act as entry points for supply chain attacks. Extensions often require broad permissions, including access to credentials, browser data and session tokens—making them an attractive target for attackers. When compromised, they can act as conduits for attackers to infiltrate corporate systems. In a sense, browsers have become pivotal endpoints in modern cybersecurity.

Attackers target trusted third-party vendors to exploit transitive access, leveraging the permissions granted to extensions and their underlying SaaS platforms.

GenAI Tools: Opportunities and Risks

Many of the targeted Chrome extensions included AI-focused tools, such as "GPT 4 Summary" and "Search Copilot AI Assistant." This reflects an emerging trend of attackers targeting high-trust, high-privilege third-party vendors, including GenAI tools.

While GenAI tools unlock transformative capabilities, their adoption introduces unique security challenges:

1. Shadow IT and Unsanctioned Use: Employees often trial free GenAI tools without IT approval, creating blind spots for security teams.
2. Data Access Risks: GenAI tools require access to vast amounts of sensitive data across SaaS environments, such as sales pipelines, customer records, and messaging histories.
3. Privacy Concerns: Free or lesser-known GenAI tools may collect user data for training purposes, risking regulatory violations and inadvertent data exposure.
4. Rapid Innovation, Complex Security: The fast pace of innovation in GenAI creates a dynamic and challenging security landscape.

Attackers target these tools because of the significant access and privileges they require. Security teams must actively monitor shadow AI usage while enforcing least-privilege principles for sanctioned tools. Additionally, organizations should implement real-time monitoring for suspicious activities and unauthorized permissions to mitigate risks associated with GenAI adoption.

Secure Your SaaS-to-SaaS Integrations

OAuth tokens, often granted through browser extensions or third-party integrations, play a critical role in SaaS security. Organizations should:

• Provide Phishing Awareness Training: Educate users on the risks of malicious consent requests and how to identify them, or to first verify with the security team
• Monitor Token Activity: Regularly audit OAuth tokens to ensure they are active and appropriately scoped. In addition, utilize identity threat detection and response (ITDR) capabilities detect live abuse of tokens and other non-human identities
• Revoke Inactive Tokens: Revoke tokens linked to inactive or deprovisioned accounts to minimize risk
• Restrict Permissions: Grant the least privilege necessary for each token’s purpose

• Browser Security: Implement browser security policies and monitor extension activity

These measures help reduce risks but must be coupled with consent awareness training to address the root cause of many attacks: users unknowingly granting dangerous permissions.

How Valence Helps: Valence empowers organizations to identify, monitor, and manage OAuth tokens and other non-human identities (NHIs) across SaaS applications. By delivering detailed visibility and enforcing least-privilege access models, Valence helps security teams to reduce risks associated with over-privileged or inactive tokens. Through real-time monitoring and remediation capabilities, organizations can swiftly detect suspicious activity, reducing the likelihood of unauthorized access or breaches.

Conclusion

This attack campaign is another SaaS-focused breach, leveraging third-party integrations to exploit trust and gain access to sensitive environments. This incident highlights the broader challenges of SaaS security and the importance of:

• Regularly audit third-party integrations and browser extensions
• Educate users on the risks of consent phishing and shadow IT
• Implement robust SaaS security measures, including monitoring OAuth tokens and managing permissions

As businesses increasingly rely on SaaS applications, GenAI tools, and browser extensions, attackers are targeting these high-trust ecosystems to exploit gaps in security. To safeguard sensitive data, organizations must adopt comprehensive SaaS security strategies that address the growing complexity and dynamic risks of modern application environments.Have a question for Valence or want to conduct a complimentary risk assessment of your SaaS environment? Request one today.