A malicious Google Chrome extension masquerading as a productivity tool for Meta Business users has been found stealing two-factor authentication secrets and sensitive business data, enabling silent takeover of Facebook and Instagram assets. 

The extension, CL Suite by @CLMasters, advertises itself as a way to streamline Meta Business workflows, but Socket researchers say it quietly exfiltrates authentication material and internal account data behind the scenes. 

Behind the scenes, the extension “… exfiltrates TOTP seeds, 2FA codes, Business Manager contact lists, and analytics data to infrastructure controlled by the threat actor,” said Socket researchers.

Inside the CL Suite Extension’s Data Collection

Socket’s analysis shows CL Suite requests broad access to meta[.]com and facebook[.]com, giving it visibility into Meta Business Suite and Facebook Business Manager admin and authentication workflows. 

This level of access places the extension directly in the path of sensitive business operations, such as user management, billing configuration, and multi-factor authentication (MFA) workflows.

Marketed in the Chrome Web Store as a Meta Business Suite tool, CL Suite claims to help users extract Business Manager data, suppress verification popups, and generate 2FA codes to reduce friction. 

While these features are presented as productivity enhancements, the extension’s underlying behavior extends well beyond what users are led to expect. 

Its background scripts collect Facebook account identifiers, active tab URLs, public IP addresses, and user-agent data, then combine this context with other sensitive information harvested from authenticated sessions.

Analysis identified concerning behavior in the extension’s built-in 2FA generator.

Each time a user generates a code, CL Suite transmits both the time-based one-time password (TOTP) seed and the currently valid six-digit code to infrastructure controlled by the threat actor. 

Once an attacker also obtains the account password or recovery access from another source, they can generate valid 2FA codes indefinitely, enabling persistent account takeover even after the extension is removed.

In parallel, CL Suite scrapes Meta Business Manager interfaces to build CSV exports of internal account data, including employee and partner names, email addresses, roles, and access levels. 

Additional modules enumerate Business Manager analytics, mapping linked ad accounts, associated assets, and billing relationships. 

Although the extension presents these exports as local, user-initiated downloads, the same datasets are quietly transmitted to a backend service at getauth[.]pro, with selected payloads forwarded in near real time to a Telegram channel controlled by the operator.

These behaviors stand in direct contradiction to the extension’s published privacy policy, which asserts that 2FA secrets and Business Manager data are stored locally and that any transmitted information is anonymized usage data. 

Code-level analysis shows the opposite: CL Suite deliberately collects and exfiltrates authentication material and personally identifiable business data without meaningful disclosure or user consent.

Reducing Risk from Malicious Browser Extensions

This incident underscores the need to carefully manage browser extensions in high-privilege administrative environments. 

Extensions with broad, persistent access can weaken authentication controls and expose sensitive business data if abused. 

Effective risk reduction depends on preventative controls, continuous monitoring, and response readiness.

• Audit and remove unapproved or high-risk browser extensions from systems used to access Meta Business Suite, Facebook Business Manager, and other administrative consoles.
• Enforce strict browser extension allow lists and restrict admin access to managed, hardened devices or dedicated browser profiles.
• Rotate credentials and fully re-enroll MFA for any accounts exposed, prioritizing phishing-resistant MFA where supported.
• Reduce standing administrative privileges by applying least-privilege access, role segmentation, and time-bound elevation for sensitive actions.
• Monitor outbound browser traffic and DNS activity for suspicious domains, telemetry patterns, and extension-based command-and-control behavior.
• Continuously monitor for abnormal account behavior, including unexpected changes to users, ad accounts, billing settings, or linked assets.
• Regularly test incident response plans for browser-based credential theft and account takeover scenarios.

Taken together, these measures help organizations reduce both exposure to malicious extensions and the potential blast radius if an account or administrative environment is compromised. 

Why Browser Extension Governance Matters

The CL Suite case shows that browser extensions in high-privilege environments require careful management. 

As administrative platforms continue to move into the browser, extension governance becomes an increasingly important part of enterprise security.

This trend reinforces why organizations are leveraging zero-trust solutions that limit implicit trust in browser sessions and administrative access.