Coordinated Chrome Extension Campaign Hijacks Enterprise HR Sessions

Cybersecurity researchers have uncovered a coordinated campaign deploying malicious Chrome extensions to compromise enterprise HR and ERP platforms. Socket identified five extensions targeting Workday, NetSuite, and SAP SuccessFactors, collectively installed over 2,300 times through the Chrome Web Store.

These extensions posed as productivity tools, with deceptive listings promising features like bulk account management and security enhancements. Data By Cloud 2 (1,000+ installs) claimed to offer dashboard tools for multiple accounts, while Tool Access 11 positioned itself as a security-focused add-on restricting access to sensitive features.

Three-Pronged Attack Strategy

1. Cookie Exfiltration: The extensions continuously harvested "__session" authentication cookies, transmitting them to attacker-controlled servers every 60 seconds. This allowed persistent access to authenticated sessions even after users logged out.

Stealing "__session" cookies targeting Workday, NetSuite, and SuccessFactors (Source: Socket)

1. Administrative Page Blocking: Data By Cloud 2 and Tool Access 11 actively blocked access to 56 security administration pages in Workday. Using DOM manipulation techniques, the extensions either erased content or redirected users from critical pages including:
   • Authentication policy settings
   • IP range management
   • Two-factor device controls
   • Security audit logs

This obstruction could prevent security teams from responding to incidents.

1. Bidirectional Session Hijacking: The Software Access extension implemented the most advanced capability, enabling direct injection of stolen cookies into browsers. This bidirectional communication allowed attackers to:
   • Receive stolen session tokens from their C2 server
   • Inject authentication cookies directly into browsers
   • Take over authenticated sessions without credentials or MFA

Infrastructure Patterns

Despite appearing as separate publishers, the extensions shared identical:

• Security tool detection lists
• API endpoint patterns
• Code structures
• Targeting methodologies

Socket's analysis confirmed all extensions lacked disclosure about cookie extraction, credential exfiltration, or page-blocking functionality in their privacy policies.

Enterprise Impact

The campaign represents a significant escalation in supply-chain attacks targeting enterprise systems:

• Session persistence: Exfiltrated cookies maintained access through logout cycles
• Incident response obstruction: Blocked security pages hindered threat mitigation
• Direct account takeover: Bidirectional cookie injection enabled immediate session hijacking

Google has since removed all identified extensions. Organizations using affected platforms should:

1. Audit installed Chrome extensions
2. Reset credentials for Workday, NetSuite, and SuccessFactors
3. Review authentication logs for suspicious sessions
4. Report incidents to security administration teams

This operation demonstrates how attackers increasingly exploit browser extension trust relationships to bypass enterprise security controls.