Two-factor authentication is supposed to deter hackers, but that doesn’t always work as planned. Thanks to a Google Chrome 2FA bypass attack, hackers completely avoided needing 2FA codes to access accounts.
Holiday for Hackers
While many people were celebrating Christmas Eve, hackers used a phishing message to compromise the account of a Cyberhaven employee. What appeared to be a legitimate message about the Cyberhaven Chrome extension being removed from the Chrome Web Store turned out to be a malicious message that gave hackers the access they needed to replace the real version of the Cyberhaven extension with a malicious version.
The employee’s account credentials were never compromised, and the multi-factor authentication (MFA) code wasn’t received either. However, the cyberattack left the extension and users’ accounts compromised for a few days.
Bypassing Chrome 2FA
The CEO of Cyberhaven, Howard Ting, stated that the attack was discovered late on Christmas Day, and the malicious extension was removed within an hour of discovery. That’s actually impressive that the company not only found an issue but took steps to resolve the problem and inform users in less than 48 hours.
Only users who had auto-update turned on in Chrome and were using the Cyberhaven Chrome extension were possibly affected. Here’s where it became troublesome: it didn’t matter if you had Chrome 2FA set up or not – hackers could bypass it.
Cookies stored in Chrome let hackers bypass the 2FA requirement, as the browser showed users to already be authenticated. Yes, it’s convenient for you not to have to get a code constantly, but it’s also a quick way for hackers to get into your accounts.
The cyberattack mainly targeted AI and social media accounts. Cyberhaven immediately informed users and told them to update to the latest version to prevent any further access by the hackers. Of course, users were advised to change passwords and clear all cookies.
Not Just Cyberhaven
It’s a little ironic that a security company was hit, but it also serves as a lesson that anyone and any company can be compromised. The fast action and transparency may help others stay safer as well.
It’s important to note that it’s not just Cyberhaven’s Chrome extension that was hit. A wide range of extensions were compromised, but Cyberhaven has just been more public about it. Currently, security experts aren’t sure whether the extensions hit were random or targeted specifically.
Ideally, the best way to keep yourself safe from attacks like this is to always clear your cookies after each browsing session. It’s also a good idea to keep your browser and extensions up to date, though in this case, auto-updating actually installed the malicious version. However, many Chrome extensions are designed to help protect you from malicious sites, ads, and phishing scams.
Overall, 2FA is still better than just a password, so it shouldn’t be avoided just because of bypass attacks. Just be cautious, and don’t get caught up in phishing scams.
Image credit: Pexels. Screenshots by Crystal Crowder.
