malicious Chrome Extensions for HR and ERP steal sessions, cookies and sabotage management screens

A group of malicious extensions for Google Chrome, posing as productivity and security tools targeted at human resources platforms and business ERP, has been detected by extracting access credentials and sabotaging management pages designed to respond to incidents. The research was published by the cyber security firm Socket, which identified five supplements for services such as Workday, NetSuite and SAP SuccessFactors; together they added up to more than 2,300 facilities.

They were apparently utilities designed to facilitate management and accelerate workflows in corporate environments: boards to manage multiple accounts, supposed security controls or "premium" access to functions. However, under that facade they shared a very similar backend and code patterns, suggesting a coordinated operation despite their publication with different names and marks.

The campaign employed three main tactics: the removal and sending of authentication cookies to control and control servers, the handling of the DOM to delete or redirect key administrative pages, and the two-way injection of cookies that allows active sessions. Socket documents that several of the extensions were scheduled to regularly capture a session cookie called "_ _ session" associated with the target domains - those cookies contain active access tokens - and they were transmitted to the attacker every minute, which allowed to maintain control even if the user closed and reopened.

In addition to stealing tokens, two of the supplements detected acted as a deliberate blocking of response functions: by detecting the title of the pages, they removed the content or redirected the administrators outside of screens dedicated to security and session management. According to the findings, one of the supplements interfered with dozens of administrative pages (including IP range authentication and control policies) and another expanded that list by adding password controls, account deactivation, 2FA devices and audit records. Interrupting access to these pages can prevent security teams from acting against intrusion with serious consequences in business environments.

The extension with more dangerous behavior, published under a different brand, also incorporated the ability to inject cookies received from the attacker's server directly into a victim's browser. With this technique, an attacker can restore an authenticated session without knowing the password or explicitly drawing an additional authentication factor, which opens the door to the immediate taking of critical accounts.

Although the number of facilities detected - just over 2,300 - is not massive compared to other campaigns, the potential impact is disproportionate: valid credentials for business platforms are a very valuable asset that can fuel large-scale data theft, extortion and ransomware deployments. Worse still, the privacy statement and the extension files did not warn about the collection of tokens or the alteration of administrative pages, so the victims could not have anticipated or consented to such behaviour.

Socket notified Google about the extensions and, at the time of the report's publication, the affected entries appear to have been removed from the Chrome Web Store. However, detection and withdrawal do not necessarily reverse the risk for those who have already installed any of these supplements: it is essential that corporate security teams investigate possible unauthorized access and act accordingly.

If you think you've used one of these extensions, it is reasonable to inform your security team immediately, uninstall the complement and proceed to invalidate sessions and credentials on the affected platforms. Google offers instructions to manage and remove extensions in its help center ( How to Remove Extensions in Chrome), and IT managers should consider the revocation of tokens, the change of passwords, the revision of access log and the rotation of relevant keys or certificates.

For organizations and administrators, this incident is a reminder that browser extensions are an attack area that requires corporate controls: use policies, white lists of supplements, periodic reviews and monitoring of abnormal behaviors. The recommendations of national security agencies and centres, such as the United Kingdom NCSC, offer practical guidelines to reduce the risk associated with malicious extensions.

It is also appropriate for companies to review their response processes: blocking the access of managers to management tools is a deliberate technique to hinder containment, so segregation of functions, strict control of privileges and the ability to act from isolated management environments become key measures. For users and security officials who need to review publishing policies and acceptable behaviour in the extension market, the official documentation of the Chrome Web Store program is a useful starting point ( Chrome Web Store policies).

The main lesson is simple: not everything that looks like a "management tool" is. Maintain a critical position against extensions that request wide permits and check reliable sources before installing are habits that can now prevent a simple installation from becoming a gap that compromises critical corporate data. To deepen the technical details and see the evidence gathered by the researchers, you can read Socket's full report on his blog ( Socket report).