This article examines a major supply chain attack targeting Chrome extension developers through fraudulent Google OAuth applications. The campaign utilized a malicious app named "Privacy Policy Extension" to trick developers into granting access to the Chrome Web Store API. Once authorized, attackers could modify and publish compromised extensions to exfiltrate session cookies and authentication tokens from millions of users, specifically targeting Facebook Ads accounts.
The technical breakdown illustrates how to analyze Google Workspace OAuth audit logs to identify suspicious activity. It provides specific detection logic for flagging new applications requesting high-risk scopes and offers remediation strategies using the GAM tool. By implementing stricter third-party app restrictions and conducting proactive threat hunting for rare application IDs, organizations can better defend against these sophisticated OAuth-based attacks.
Top comments (0)