IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Phishing
#
Email Security
#
CASB

Browser syncjacking exposes risks in Chrome extensions

Fri, 31st Jan 2025
Author image
By Melania Watson, Interview Editor

SquareX has revealed a new attack technique, dubbed "browser syncjacking," which demonstrates how malicious browser extensions can be utilised to gain complete control over a user's browser and potentially their entire device.

Researchers at SquareX including Dakshitaa Babu, Arpit Gupta, Sunkugari Tejeswara Reddy and Pankaj Sharma have illustrated how attackers can escalate privileges to achieve a full takeover with minimal user interaction.

This challenge to the prevailing belief in the security of browser extensions highlights the potential for any browser extension to become an attack vector if created or manipulated by malicious actors. According to the researchers, extensions available on the Chrome Store, which commonly include productivity tools such as Grammarly, Calendly, and Loom, typically have read/write capabilities that could be exploited.

The browser syncjacking attack comprises three core components: profile hijacking, browser takeover, and ultimately device hijacking. The attack begins when a user installs an extension that either purports to offer a useful service or is an existing popular extension that has been compromised.

This extension then authenticates the user into a Chrome profile managed by the attacker's Google Workspace without the user's knowledge, thereby granting the attacker control over the browser's managed profile settings.

Following this, attackers can use social engineering tactics to escalate the attack further. By exploiting trusted domains, they can prompt the user to synchronise their Chrome profile, thus gaining access to stored credentials and browsing history. The subtlety of this tactic means it is unlikely to trigger alerts in network security systems.

To achieve full browser control, the attacker uses the same extension to replace legitimate downloads with harmful files containing enrolment tokens, converting the browser into one managed by the attacker's profile. This enables attackers to disable security measures, install more malicious extensions, exfiltrate data, and redirect users to phishing sites.

The fact that a managed and unmanaged browser appear identical to the average user further compounds the difficulty of detection unless users are particularly security-conscious.

The final stage of the attack sees the execution of a downloaded file to introduce registry entries necessary for the extension to interact with local applications. This interaction allows the attacker to control the device to a significant extent, such as activating cameras, recording screens, and installing software, all without further user authentication.

SquareX emphasised the serious security implications resulting from the attack's ability to operate with minimal user interaction and basic permissions, often using trusted web platforms as part of the social engineering strategy, which means it can evade traditional security surveillance.

Vivek Ramachandran, Founder of SquareX, stated, "This research exposes a critical blind spot in enterprise security. Traditional security tools simply can't see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn't just an option anymore - it's a necessity. Without visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers. This attack technique demonstrates why security needs to 'shift up' to where the threats are actually happening: in the browser itself."

SquareX's previous work includes security research on browser extensions and the identification of various related threats, including the OAuth attack on Chrome extension developers and the discovery of Last Mile Reassembly attacks, which bypass existing Secure Web Gateway solutions. Based on this research, the company has developed a Browser Detection and Response solution aimed at defending enterprises from such extension-based attacks by conducting real-time dynamic analysis of active browser extensions within organisational networks.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
MSP report forecasts growth in revenue & cybersecurity
RMM Best Practices for 2025 – All You Need to Know
Netskope enhances NewEdge for superior security & speed
Trojan banker attacks on Android rise 196% in 2024
Yubico & Microsoft partner on phishing-resistant MFA
Top stories
IWD 2025: Levelling the playing field with paternity leave
James Hunnybourne appointed new executive chairman at Cybit
Finity appoints Dale Simkiss as Non-Executive Director
Dutch regions' data exposed after hard drives sold at market
IWD 2025: Funding isn’t enough, we need to talk about ownership