←
Back to Blog
Cyberhaven security
1/18/2025
-
XX
Minute Read
Update: Additional data recently discovered via telemetry gathered by our 24.10.6 extension
Following up on the final analysis of the December 24, 2024 security incident affecting our Chrome extension and dozens of others, we are sharing additional findings from telemetry gathered by our most recent Chrome extension, version 24.10.6. We are sharing these findings for the benefit of the wider security community.
Read our final analysis of the incident here.
Additional findings
On .0002% of impacted machines, Cyberhaven has found a different config file downloaded by the compromised extension (version 24.10.4). This config file contains OpenAI’s ChatGPT URLs. First and foremost, this config file disables the ability of the malicious code to send data.
Cyberhaven’s analysis of the Chrome extension’s code with the ChatGPT config file demonstrating the file’s presence can be found here. The analysis done by Booz Allen Hamilton of the Chrome extension code with the ChatGPT config can be found here.
Both reach the same conclusion: the added malicious code is incapable of sending any information while running this config.
Working theory
Currently, both Booz Allen Hamilton and Cyberhaven are working on a theory that this config may have “bled” over from a separate compromised extension as part of this wider attack. Open source intel suggests some of the other compromised Chrome extensions in this broader campaign did target ChatGPT and had C2 hosted on the same IP.
Scope appears unchanged
Finally, this doesn’t appear to change the scope of the event or the possible data that may have been compromised. The scope of the event still appears limited to Facebook personal and business account information.
