- Socket found five malicious Chrome extensions that spoof HR/ERP platforms
- Extensions enabled credential theft, session hijacking, and blocked event response
- Removed from Chrome Store but still on third party sites
If you use Workday, NetSuite or SuccessFactors at work, you may want to be aware of the browser extensions or add-ons you have installed because you may have inadvertently installed malware.
Security researchers Socket have warned of discovering five Chrome extensions that spoof popular human resources (HR) software and Enterprise Resource Planning (ERP) platforms.
Plugins are designed to steal authentication tokens, block incident response capabilities, or provide full account takeover via session hijacking, the researchers explained.
Thousands of victims
Here is the full list of malicious extensions:
DataByCloud Access
Tool access 11
DataByCloud 1
DataByCloud 2
Software access
By the time the news hit the web, all five had already been removed from the Google Chrome Webshop. Even so, users who have installed them before will not be completely safe until they uninstall the plugins and run a thorough scan to see if the infection had been cleaned.
In addition Hacker News reports that plugins are still available on third-party software download sites such as Softonic, but we were unable to independently verify these claims as Softonic’s site appeared to be offline at press time.
Cumulatively, these five add-ons were downloaded 2,739 times, suggesting that the campaign was not very effective.
Still, Workday, NetSuite, and SuccessFactors are typically used by medium to large organizations, including enterprises and multinationals, for HR, finance, payroll, and operations teams. A full account takeover in just one such organization could turn into a large-scale cyber attack with millions of dollars in damage and thousands of people affected.
To make matters worse, some of the removed extensions were first made public more than four years ago.
“The combination of continuous credential theft, administrative interface blocking, and session hijacking creates a scenario where security teams can detect unauthorized access but cannot remediate through normal channels,” Socket said.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
