If a Chrome extension promises to remove security pop-ups and generate MFA codes, that should make you pause.
However, thirty-three people did not pause.
Recently, security researchers uncovered a malicious Chrome extension called CL Suite by @CLMasters, ID jkphinfhmfkckkcnifhjiplhfoiefffl. It was uploaded to the Chrome Web Store on March 1, 2025. At the time of reporting, it had just 33 users.
At first glance, that number sounds small. In reality, it is not.
Understanding CL Suite Malicious Extension
On the surface, the extension was marketed as a tool for Meta Business Suite users. Specifically, it claimed to scrape data, remove verification pop-ups, and generate two-factor authentication (AKA MFA) codes. To a busy marketer, that sounds like convenience. By contrast, to a security professional, it sounds like a major red flag.
Beneath that marketing layer, the extension had far more serious capabilities. It could steal your Time-Based One-Time Password (or TOTP) seed, which is the secret key used to generate time-based one-time passwords. In addition, it could capture live 2FA codes. Furthermore, it could automatically navigate to facebook[.]com and meta[.]com and target the Business Manager’s “People” view.
From there, it built a CSV file containing names, email addresses, roles, permissions, and access status. Beyond that, it enumerated Business Manager entities and export IDs, ad accounts, connected pages, assets, and billing configuration details.
In other words, this was not casual data scraping. Instead, it was structured, targeted, and extremely dangerous reconnaissance and data theft.
What is a Time-Based One-Time Password (TOTP) Seed?
To fully understand the impact, you first need to understand what a TOTP seed is. App-based two-factor authentication works because a secret key generates rotating six-digit codes. If an attacker steals that secret key, they can generate valid 2FA codes at any time.
As a result, they do not just bypass your password. They bypass your second layer of protection entirely. Put more simply, it is like handing someone both your house key and your alarm code.
Now, consider what Meta Business Manager often controls. Company pages. Advertising accounts. Payment methods. Employee and partner access.
If attackers can export user roles and billing details, they gain a blueprint of the organization’s digital footprint. From there, they can identify high-privilege accounts, redirect ad spend, or launch targeted social engineering campaigns. Consequently, thirty-three installs could lead to dozens of company breaches, significant financial exposure, and follow-on attacks from trusted sources. A recipe for disaster!
The Larger Trust Problem
More broadly, the larger issue here is trust. Many users assume that anything in the Chrome Web Store is safe. While extensions are reviewed, malicious behavior can still slip through. In some cases, it hides inside updates. In others, it hides behind features that appear helpful.
Most users do not review permissions closely enough. Instead, they click “Add Extension” and move on. Yet that one click may grant the ability to read website data, interact with authentication flows, and capture session information. Even when the apps ask for permission, users rarely read all the fine print on what they’re granted the extension permission to do. Users are like water in a river flowing gently around obstacles in their way with rarely any concern. Then out of no-where a Crocodile-like malicious extention strikes and BAM! Really bad things ensue.
Users need to realize, your browser is no longer just a browsing tool. Rather, it is potentially a gateway into your business systems and data.
Managing the Risk
Fortunately, this risk is manageable.
First, organizations must regularly audit installed extensions and remove anything not approved and not essential. Next, managed environments should implement allow-listing so only approved extensions are permitted. Additionally, employees should be trained to question permissions, especially when an extension touches authentication or claims to bypass security steps. Finally, monitoring business platforms for unusual administrative behavior is critical, since session abuse rarely triggers login alerts.
The Takeaway
Ultimately, the lesson is simple. Attackers package productivity enhancements containing hidden attacks. They disguise data theft as automation. Above all, they rely on convenience winning over caution.
Awareness can help you plan your security program, alert your users, and avoid these hidden threats.
Additional Resources
- SC Media: Researchers find 16 browser extensions stealing ChatGPT session tokens
- Venn’s Enterprise Browser Security Guide
Secure your business with CyberHoot Today!
The post Malicious Chrome Extension Disguised as a Business Tools appeared first on CyberHoot.