The browser extension was hijacked on July 3, 2017 and a backdoor was distributed via Google Web Store. The attackers have published non-existing version of the extension 20.1.1.
Vulnerable component: Social Fixer (Chrome extension)
CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-798 - Use of Hard-coded Credentials
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.
The vulnerability exists due to presence of backdoor code in Social Fixer Google Chrome extension 20.1.1, distributed via Google Web Store.
Known APT campaigns:
Attack against Google Web Store developer accounts
Accounts of several developers of Google Chrome extensions were compromised. The malicious actors published new version of Chrome extension, which contained backdoor code. The campaign has started approximately in March 2017 and continued in August 2017. The total verified number of compromised extensions equals 6. Approximate number of affected victims - 4.1 million, according to Proofpoint.