Fake Workday and NetSuite extensions: cookies, blocked admin pages, and session hijack

Socket researcher Kush Pandya analyzed five Chrome extensions marketed as shortcuts to Workday, NetSuite, SuccessFactors, and similar enterprise apps. Naming followed patterns like DataByCloud and Software Access, with two publisher labels but shared code and infrastructure—treated as one coordinated operation.

Install counts in reporting were modest (hundreds to about one thousand per listing), but enterprise sessions are high leverage: a valid cookie can mean account access without phishing the password again.

What the extensions did

Credential plumbing
DataByCloud Access (and related variants) requested broad powers—cookies, storage, scripting, management, declarativeNetRequest—scoped to Workday, NetSuite, SuccessFactors, and related hosts. Stolen auth cookies were sent on a timer (coverage cited about every 60 seconds) to api.databycloud.com.

Blocking the response team
Tool Access 11 and Data By Cloud 2 used DOM manipulation to wipe or derail dozens of admin and security pages inside Workday—authentication settings, session controls, IP ranges, audit logs, password changes, 2FA device management, sandbox (workdaysuv) surfaces, and more. The idea is painfully practical: defenders may see something wrong yet cannot reach the UI to revoke sessions cleanly.

Anti-forensics
Data By Cloud 1 mirrored cookie theft and added developer-tool interference via the DisableDevtool library. Encrypted C2 was mentioned for some variants.

Session hijack in the other direction
Software Access combined theft with injection: cookies fetched from api.software-access.com could be written into the browser with chrome.cookies.set, cloning a victim session into an attacker profile. It also tried to shield password fields from inspection.

Extension “competitor” fingerprinting

All five reportedly shipped a shared list of ~23 security-related extensions (cookie editors, header tools, session boxes, devtools helpers). The likely goal: detect tooling that could expose or disrupt cookie harvesting. Same list across builds suggests a shared kit or one operator with multiple store personas.

Distribution note

Most listings were removed from the Chrome Web Store after disclosure; reporting still warned copies could linger on third-party download sites (Softonic was named). Treat non-store CRX as higher risk.

What affected orgs should do

• Remove the add-ons, invalidate sessions, rotate passwords where policy allows, and review sign-ins from unknown IPs / devices.
• Assume admin lockout may have delayed containment—use out-of-band admin paths documented by the SaaS vendor.
• Blocklist publisher accounts and IOCs from your threat intel feed.

Practical next step

Never install a “portal access” extension for Workday / NetSuite unless IT explicitly approves it; official login is always the browser tab, not a random store helper. eSafe can help you see permissions and risk signals in one place.

Go deeper

Analyze an extension before you install → — permissions, publisher signals, and update history.

Report: The Hacker News.