A newly identified Chrome extension is posing a significant threat to Facebook Business users by surreptitiously stealing two-factor authentication (2FA) codes and analytics data. This malicious tool, which presents itself as a utility for Meta Business operations, has been linked to potential account takeovers and data breaches.
Understanding the Malicious Extension
The extension, known as “CL Suite by @CLMasters” and identified by its ID: jkphinfhmfkckkcnifhjiplhfoiefffl, remains accessible in the Chrome Web Store and specifically targets Meta Business Suite and Facebook Business Manager environments. It promises to aid users by extracting data, analyzing business managers, and generating 2FA codes, while requesting extensive permissions over meta.com and facebook.com domains.
Despite its claims, a technical analysis by Socket AI Scanner reveals that the extension operates more like an infostealer rather than a productivity tool. It systematically misuses its advertised features to access authentication secrets and business intelligence from logged-in admin sessions.
How the Extension Exploits 2FA and Business Data
One of the most critical issues with the extension is its handling of 2FA for Facebook and Meta Business accounts. Users who rely on its built-in 2FA generator unknowingly allow CL Suite to capture their TOTP seed and current six-digit 2FA code. This information, alongside the associated Facebook username and email, is transmitted to an attacker-controlled infrastructure located at getauth[.]pro, with options for forwarding to a Telegram channel.
Armed with both the seed and a timestamped, valid code, attackers can indefinitely generate valid 2FA codes, facilitating account hijacking once passwords or recovery channels are compromised through infostealers or credential dumps.
Impact on Business Operations and Security Measures
Additionally, the extension aggressively targets Meta Business Manager data. It includes a feature for extracting the “People” view, compiling CSV files with details such as names, email addresses, roles, and access levels, and exfiltrating these files to the same backend, often for Telegram distribution.
Moreover, another analytics component catalogues Business Manager IDs, linked ad accounts, connected pages, and billing configurations, providing attackers a comprehensive map of business assets and funding mechanisms.
Recommended Actions for Businesses
Given its potential impact, organizations utilizing Meta Business or Facebook Business Manager should immediately audit their browser extensions, remove CL Suite, and consider affected accounts compromised. Recommended actions include re-enrolling 2FA with new secrets, reviewing Business Manager roles and members, and monitoring for traffic to getauth[.]pro and similar infrastructures.
For long-term security, enterprises should enforce extension allow-lists for admin browsers and rigorously evaluate any plugin offering scraping, verification bypass, or in-browser 2FA generation for high-value platforms.
Stay informed on the latest cybersecurity developments by following our updates on Google News, LinkedIn, and X. Contact us to feature your cybersecurity stories.
