Malicious Chrome extensions posing as productivity tools were found stealing session tokens, blocking security controls, and enabling account takeover across popular enterprise HR and ERP platforms.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Five malicious Chrome extensions disguised as productivity tools were discovered stealing session tokens from enterprise HR and ERP platforms like Workday, NetSuite, and SuccessFactors. The extensions exfiltrated authentication cookies, blocked access to security controls, and enabled complete account takeover through session hijacking. Over 2,300 users installed these extensions before Socket.dev researchers reported them to Google. The most sophisticated variant could inject stolen session tokens directly into attacker-controlled browsers, bypassing login screens and multi-factor authentication entirely.

Five Chrome extensions caught hijacking enterprise sessions