To read our preliminary analysis click here.

Independent analysis confirms initial findings

Booz Allen Hamilton's reverse engineering analysis of the compromised extension (version 24.10.4) validates our initial technical assessment. Their detailed investigation identified malicious code designed to communicate with attacker-controlled servers and potentially access user data through the extension's permissions. This independent verification supports our immediate response actions and confirms the effectiveness of our mitigation strategy in version 24.10.5. To download a copy of the report click here. 

Part of a broader campaign

A separate threat intelligence report from Booz Allen Hamilton reveals this incident was part of a larger coordinated campaign targeting Chrome extension developers across multiple industries. Their analysis identified over 30 other extensions that were potentially compromised in this campaign, with a total user base exceeding 2.6 million users. This broader context suggests a sophisticated supply chain attack rather than targeted action against Cyberhaven specifically. To download a copy of the report click here. 

Comprehensive security improvements

Based on these findings, we've implemented and are implementing  several security improvements:

Immediate actions (completed)

Move to white list approach for OAuth application permission grants 

Why: This will force a security review process for all OAuth permission requests 

How: Remove permissions for all users to grant OAuth permissions. Allow the security team to grant OAuth permissions after review. 

Enable better notifications for web store deployments

Why: Security and DevOps should be notified every time a new version of the extension is published to the Chrome Web Store.

‍How: Notifications are on a per user basis in the Chrome Web Store. We are also forwarding all emails from the Chrome Web Store to the security alias to ensure both engineers and security receives these notices.

Remove standing privileges to the Chrome Web Store so it conforms to our normal CI/CD processes

Why: Remove standing administrative access for human users. Several senior developers have standing access to the Chrome Web Store for debugging, troubleshooting, and using the API to publish as part of the CI/CD pipeline. Due to the Chrome Web Store RBAC model and lack of observability controls, this weakness needs to be mitigated.

How: Set up a “break glass” account to manage the Google Chrome Web Store. The security team manages this account. Ensure the current API account is used to publish via API. Implement monitoring to alert on all activity with those accounts to ensure no abnormal behavior.

Near-term improvements (Q1 2025)

Replace email security tooling & implement heightened detection rules until we migrate

Why: The phishing email at the center of this event was not identified by our current tools. Based on this and other functionality, Cyberhaven will be migrating to the leading vendor in this space. In the meantime, we have reduced the confidence level required to auto-quarantine a phish in our existing tool to ensure similar emails will be quarantined.

How: We are starting talks to the new vendor and will aggressively migrate to them once paperwork is signed. Contract negotiations are underway. 

Improve customer notification and assured delivery for critical incidents beyond email

Why: While Cyberhaven sent timely communications, the feedback from some customers is either they didn’t get them, they went to spam, or they went to the wrong people.

How: During POC and onboarding, collect critical incident contact information per customer. Implement better tooling for customer notifications.

Report extension version in endpoint management page

Why: Ability for customers to get visibility into version, installed date,  health and status of browser extensions. This will greatly aid our customers in understanding the relationship between the agent and the extension.

How: Expand our endpoint management page with extension telemetry data. That data currently only exists in the Cyberhaven backend.

Cyberhaven Hosted extension and integrity check

Why: Google Web Store has very few controls to enforce good security processes and telemetry to monitor its use. It also doesn’t allow cyberhaven to sign the extension.

‍How: Cyberhaven would host the extension on their infrastructure. That allows complete control of how the extension is published (using our secure CI-CD tooling). Update the agent to verify the integrity of the extension.

Strategic enhancements (Q3 2025)

Granular control of extension distribution and ability for agent to update

Why: We would like to enable customers to have better control of the rollout of the extension and not rely on Chrome Web Store or Chrome’s update processes.

How: Better control the distribution of our extension, including gradual rollout, different distribution policies per customer, and enable customer control over the rollout.

‍

These improvements reflect our commitment to preventing similar incidents and strengthening our security posture. We appreciate the trust our customers place in us and remain committed to maintaining the highest security standards. If you have any questions about these findings or improvements, please contact your account team or our support department.

‍