Ethical Hacking News
Malicious Chrome Extensions Impersonate Legitimate Enterprise Platforms to Hijack Accounts
Cybersecurity researchers have discovered five malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts. These malicious extensions are capable of stealing sensitive user information, blocking security measures, and enabling complete account takeover through session hijacking.
Learn more about the impact of these malicious extensions and how you can protect yourself against them.
Cybersecurity researchers have discovered five malicious Google Chrome web browser extensions that impersonate HR and ERP platforms. The extensions steal authentication tokens, block incident response capabilities, and enable account takeover through session hijacking. The identified extensions are DataByCloud Access, Tool Access 11, DataByCloud 1, DataByCloud 2, and Software Access. The malicious extensions exfiltrate cookies to a remote server under the attackers' control to steal sensitive user information. They use DOM manipulation to block security administration pages and prevent access to certain functionalities within the Workday platform. One extension, Software Access, combines cookie theft with session hijacking and password input field protection. The extensions have been removed from the Chrome Web Store but are still available on third-party software download sites. Users who installed the malicious extensions are advised to remove them, perform password resets, and review for signs of unauthorized access.
Cybersecurity researchers have recently discovered five malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts. The discovery highlights the ongoing threat landscape in the realm of browser security and the potential for attackers to exploit unsuspecting users.
According to Socket security researcher Kush Pandya, "The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking." This implies that these malicious extensions are not only capable of stealing sensitive user information but also have the ability to block any form of security measures or incident response efforts.
The five identified extensions are DataByCloud Access, Tool Access 11, DataByCloud 1, DataByCloud 2, and Software Access. These extensions have been found to be advertised as productivity tools that offer access to premium tools for different platforms, including Workday, NetSuite, and other platforms.
One notable feature among these malicious extensions is their ability to exfiltrate cookies to a remote server under the attackers' control. This feature suggests that the primary goal of these malicious extensions is to steal sensitive user information, such as authentication tokens, in order to gain unauthorized access to the victim's accounts.
Another key aspect of these malicious extensions is their use of DOM manipulation to block security administration pages and prevent access to certain functionalities within the Workday platform. The extension Tool Access 11, for example, prevents users from accessing 44 administrative pages within Workday by erasing page content and redirecting to malformed URLs. Similarly, Data By Cloud 2 expands on this feature to target both production environments and Workday's sandbox testing environment at "workdaysuv[.]com."
The most sophisticated extension among these malicious ones is Software Access, which combines cookie theft with the ability to receive stolen cookies from a remote server and inject them into the browser to facilitate direct session hijacking. Furthermore, it comes fitted with password input field protection to prevent users from inspecting credential inputs.
It's worth noting that all five extensions have been removed from the Chrome Web Store as of writing, but they are still available on third-party software download sites such as Softonic. The campaign is assessed to be a coordinated operation based on identical functionality and infrastructure patterns, suggesting that it may be the work of the same threat actor who has published them under different publishers or a common toolkit.
Chrome users who have installed any of these malicious extensions are advised to remove them from their browsers immediately, perform password resets, and review for any signs of unauthorized access from unfamiliar IP addresses or devices. The researchers emphasize that continuous credential theft, administrative interface blocking, and session hijacking create a scenario where security teams can detect unauthorized access but cannot remediate through normal channels.
In conclusion, the recent discovery of these malicious Chrome extensions highlights the ongoing threat landscape in browser security and the potential for attackers to exploit unsuspecting users. It is crucial for users to remain vigilant when installing new software or extensions and to regularly review their browser settings for any signs of suspicious activity.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Chrome-Extensions-Impersonate-Legitimate-Enterprise-Platforms-to-Hijack-Accounts-ehn.shtml
Published: Fri Jan 16 09:45:37 2026 by llama3.2 3B Q4_K_M
