In 2024, the browser continued to be a prime target for third-party risk, highlighting threat actors’ abuse of the increasingly complex web infrastructure and the lack of client-side protections. The browser, with its ubiquitous use across industries and departments, represents a constantly-open door through which an attacker can execute malicious code or gain access to sensitive data, but remains an underserved application in most organizations' security strategies.

This article provides an overview of three noteworthy supply chain attacks observed in 2024 in the browser ecosystem: trusted browser extension compromise, JavaScript library takeover on legitimate sites, and consent phishing via trusted identity providers.

‍

Data Exfil by Compromised DLP Browser Add-On

In late December, Cyberhaven, a cybersecurity company, suffered a breach and identified its Chrome Web Store administrative account had been compromised via a consent phishing attack. For several hours, a malicious version of their data loss prevention (DLP) browser extension had been pushed to its Chrome users, where it began keylogging activity and exfiltrated specific sensitive data. This breach exploited the inherent trust organizations have in their third-party vendors and the lack of effective browser add-on management.

Impact

Though the Cyberhaven team was able to take down the malicious extension within an hour of identifying the malicious code update, the malicious version had remained actively installed on Chrome browsers for at least several hours. During this time, the add-on contained additional code that logged inputs to a web page’s DOM tree (including username and passwords), gathered session cookies, and exfiltrated the data to the attacker’s command-and-control domain that mimicked Cyberhaven’s legitimate domain. Although Cyberhaven reports Facebook Ads accounts as the primary target, the malicious code was capable of accessing and exfiltrating a wide range of other accounts and sensitive data, highlighting how much more severe the incident could have been for their customers.

Implications

Users and organizations install and trust certain browser extensions due to the many benefits they provide. Browser add-ons, however, are additional software running in and integrated directly into the browser. Without the continuous and effective management of such software, extensions present an effective and potentially devastating attack vector that is in use by threat actors but often overlooked by organizations.

‍

To safeguard against compromised extensions, organizations should enforce strict browser add-on management policies and regularly review the permissions and activities of trusted extensions.

‍

Supply Chain Compromise via JavaScript Library Takeover

Polyfill is a popular open-source library that enables older browsers the ability to support modern features not natively supported. When users would browse to any of the 100,000 websites that utilized the open-source library, the web server would instruct client browsers to obtain a copy of the polyfill.js JavaScript library and execute the code. Though Polyfill was a trusted and popular script, the domain which websites pointed to the library was purchased in February 2024—along with the relevant Github account—by a Chinese company who proceeded to modify the code base.

Impact

The new library owner introduced malware into the code repository, and hundreds of thousands of websites across the internet then began pointing users’ browsers to the malicious library. The new code would dynamically generate its payload and has redirected users away from legitimate sites to malicious websites. To evade detection and analysis, the library sent the browser malware under specific conditions, such as only on certain mobile devices and between certain hours. Though the malicious library was eventually removed, its ability to redirect users and deploy payloads under specific conditions underscores the potentially far-reaching consequences of such supply chain compromises.

Implications

In today’s hyperconnected digital environment, users browse the internet daily to legitimate sites with full implicit trust, and few platforms are able to provide visibility into and protection against malicious client-side code. The Polyfill library takeover highlights one way attackers are exploiting users’ trusts in websites and organizations’ lax management of third-party risk, underscoring the need for both managing supply chain risk for web services and identifying and responding to client-side attacks occurring via the browser.

To protect against malicious JavaScript attacks, organizations should implement browser security measures and leverage browser telemetry for swift detection and response to suspicious activities.

‍

“Consent Phishing” and Third-Party Web Apps

Consent phishing, the act of gaining a user’s consent for a third-party application to access a victim’s account, abuses an employee’s trust in familiar OAuth providers’ consent screens and the providers’ web application review processes. A bad actor creates a web application, registers it with a trusted OAuth 2.0 identity provider (e.g., Microsoft, Google), and lures a user to the legitimate provider’s webpage, which prompts the user to grant certain permissions (e.g., read/write emails) to the third-party app. Upon selecting yes, the victim grants the requested permissions to the attacker-controlled application.

Impact

The attacker now has certain control over the user’s account. Depending on the requested permissions, the attacker can then take actions in the environment to exacerbate the extent and impact of compromise, such as sending malicious emails to unsuspecting users on behalf of the victim, further compromising the implicit chain of trust that people and security tools operate upon. In the aforementioned Cyberhaven compromise, the attacker gained the permissions to publish to the web store on behalf of a Chrome Web Store admin account, and further infiltrated the supply chain by deploying a malicious extension version and quietly gathering and exfiltrating data from the compromised company’s customers.

Implications

Third-party applications often reign unmanaged and their permissions unseen. Attackers are leveraging this blindspot to gain an initial foothold into organizations and to subsequently cause a wide range of damage, stressing the need to monitor and understand your organization’s web footprint and permissions granted to third-party web applications. 

‍

To protect your organization from consent phishing attacks, implement stringent monitoring of permissions granted to third-party web applications, educate users to recognize and verify consent requests, and establish response protocols to rapidly revoke malicious and unwanted access.

‍

Conclusion: The Critical Need for Supply Chain Risk Management

Supply chain attacks observed in 2024 serve as a reminder of the increasing intricacies and unmanaged aspects of the browser ecosystem. Attackers are continuously pursuing innovative ways to infiltrate and leverage trusted relationships, including unauthorized modifications of third-party browser extensions, manipulation of JavaScript libraries on hundreds of thousands of legitimate websites, and the unwitting granting of access to third-party applications. These attacks on trusted entities underscore the necessity for organizations to implement supply chain risk management strategies and to adopt security strategies that provide visibility into and protections against browser-based threats.

‍

If your organization is looking to detect and mitigate browser-based threats before they escalate, Keep Aware can help. Request a demo to see our product in action or get started in minutes with a commitment-free 30 day trial.