Blocking defenses and hijacking sessions: The campaign went beyond stealing credentials. Two of the extensions, Tool Access 11 and Data By Cloud 2, incorporated DOM manipulation routines that actively blocked access to security and administrative pages within the targeted platforms. This prevented the enterprise admins from reaching screens to change passwords, view sign-on history, or disable compromised accounts, even if they detected suspicious behavior.The most advanced of the five, Software Access, offered (on top of cookie theft) bidirectional cookie injection where stolen session tokens were reintroduced into a browser controlled by the attacker. Using APIs like “chrome.cookies.set(), this feature implants valid authentication cookies directly and grants threat actors an authenticated session without any further action from unsuspecting users.This technique effectively bypasses login screens and multi-factor authentication, allowing immediate account takeover.”While four extensions are published under databycloud1104 and the fifth under different branding, all five share identical infrastructure patterns indicating a single coordinated operation,” the researchers added. Socket advised organizations to strictly audit and limit browser extensions, closely scrutinize permissions requests, and remove add-ons that unnecessarily access cookies or enterprise sites. The blog also recommended monitoring for abnormal session activity and using tools that can detect malicious extension behavior before it reaches users.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4118607/five-chrome-extensions-caught-hijacking-enterprise-sessions.html
