In July, it became known – and noticeable to users – that the popular Chrome Web Developer extension had been compromised. Suddenly malware ads that were being served up in places such as the Google homepage and Google search results, where there obviously shouldn’t be any ads of this type. The developer issued a fix later that day, and many assumed that the developer updating the extension to remove the malicious code was enough. But it seems the hackers had a much bigger target than simple malware – the Cloudflare credentials of everyone who used the Web Developer extension.
The Web Developer extension wasn’t the only one compromised for Cloudflare credentials, although it is the most popular one for site owners and SEOs to have installed. Multiple other extensions were also compromised via similar phishing attacks, according to Wordfence, with a total of 4.8 million users affected. The affected extensions:
- Web Developer – Versions 0.4.9 affected
- Chrometana – Version 1.1.3 affected
- Infinity New Tab – Version 3.12.3 affected
- CopyFish – Version 2.8.5 affected
- Web Paint – Version 1.2.1 affected
- Social Fixer 20.1.1 affected
- TouchVPN appears to have been affected but the version is unclear
- Betternet VPN also appears to have been affected but no version was provided
For those with the above extensions installed, you need to change your Cloudflare password(s) immediately. You also need to revoke and/or invalidate the API keys as well.
On the positive side, there are no known sites compromised via Cloudflare at this time, but those credentials could be used for a future attack. So those keys and passwords still need to be changed.
It is also a reminder for Chrome users to periodically go through their Chrome extensions and delete or disable any extensions that are not being used on a daily basis, to reduce the likelihood that one is compromised while you are using Chrome.
For a much more detailed analysis of the original attacks, read the threat analysis on Proof Point.
Latest posts by Jennifer Slegg (see all)
- No Plans for Google to Mark HTTP as Insecure in Search Results - September 22, 2017
- Google: Do HTTPS Migrations Separate From Other Major Changes - September 22, 2017
- Google: Rankings Should Remain Stable With HTTPS Migrations - September 21, 2017
- Google: Value (or Not) of Doing Link Audits - September 20, 2017
- Google Indexes AMP Version for Mobile First When No Regular Mobile Page - September 19, 2017