Malevolent Chrome Extension Theft Facebook Business Controls 2FA Codes High-value ad accounts are at risk of being taken over by a malicious Chrome extension that purports to assist Meta Business users in covertly stealing Facebook Business Manager 2FA codes and analytics data. The Chrome Web Store still offers the extension "CL Suite by @CLMasters" (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), which is designed to work with the Meta Business Suite and Facebook Business Manager environments. The malicious CL Suite was analyzed by Socket AI Scanner using the @CLMasters Chrome extension (source: socket).

CL Suite, which is marketed as a tool to "extract people data, analyze Business Managers, remove verification popups, and generate 2FA codes," asks for extensive permissions over Facebook.com and meta.com.

From Infostealer to Productivity Tool According to its privacy statement, Business Manager information and 2FA secrets stay locally in the browser. Technical analysis, however, reveals that the extension functions more like an infostealer than a tool for productivity. The Risk of Sockets Researchers discovered that it routinely exploits the very features it promotes in order to obtain business intelligence and authentication secrets from authenticated administrator sessions.

The extension's handling of two-factor authentication for Facebook and Meta Business accounts is the most significant problem. The CL Suite by @CLMasters extension is listed in the Chrome Web Store (source: socket). CL Suite records the TOTP seed, which is the current six-digit 2FA code, when users rely on its integrated 2FA generator.

An attacker-controlled infrastructure at getauth[. ]pro receives the associated Facebook username and email, with the option to forward it to a Telegram channel. Once passwords or recovery channels are acquired from infostealers or credential dumps, it is simple to take over accounts because attackers can generate functional 2FA codes indefinitely with the seed and a timestamped, valid code.

Contacts and Analytics for Business Managers Gathered The official business tools page of Meta (source: socket) Additionally, Meta Business Manager data is the extension's primary target. The Business Manager "People" view is scraped by a "People" extraction feature, which creates CSV files containing names, email addresses, roles, status, and access levels. The CSV files are then silently exfiltrated to the same backend, frequently designated for Telegram forwarding.

Attackers are provided with a comprehensive map of business assets and the funding methods for ad spend by another analytics component that lists Business Manager IDs, linked ad accounts, linked pages, and billing or payment configurations. Clmasters[. ]pro's Meta Business Suite Tools privacy policy page (source: socket) This visibility is sufficient to identify successful targets and plan follow-on fraud or account-takeover activity, even with a small install base.

Organizations that use Facebook Business Manager or Meta Business should audit browser extensions, delete CL Suite, and treat compromised accounts as such, according to Socket's Threat Research. Re-enrolling 2FA with new secrets, examining Business Manager roles and members, and keeping an eye on traffic to getauth[. ]pro and associated infrastructure are all suggested actions.

In the long run, businesses should make sure that admin browsers are on extension allow lists and carefully examine any plugin that provides scraping, verification bypass, or in-browser 2FA generation for high-value platforms. X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.