Browser syncjacking: new research details worrying hacking technique


The security research team at SquareX, a security provider, has discovered a major hacking technique that adversaries can use to completely take over a user’s browser and, eventually, the whole device.

To be sure, browser extensions have already been spotlighted as a critical threat to enterprise security. But most of the attacks so far have primarily been around data exfiltration or unauthorized access to specific web applications.

It was thought to be impossible to gain full control of the browser, much less the device, through a browser extension due to the way the extension subsystems were designed.

ADVERTISEMENT

Well, the team at SquareX has been trying to challenge this conventional wisdom to see if a full browser and device takeover is possible with browser extension syncjacking. And they succeeded.

SquareX’s research suggests it’s possible to actually gain full control of the browser and then do whatever, instead of focusing on data theft or access to specific web applications.

Gintaras Radauskas Paulina Okunyte Paulius Grinkevicius Marcus Walsh profile
Don’t miss our latest stories on Google News

The victim suspects nothing

According to the researchers, the breach can be executed through a malicious browser extension and, alarmingly, only requires basic permissions, minimal user interaction, and social engineering to work.

SquareX says this is the most powerful extension attack they have uncovered thus far. It represents a seismic shift in the way that enterprises will view extensions as a threat vector. Plus, millions of users are at risk, researchers say. The full report can be found here.

Such takeover also only requires basic read/write capabilities, which are present in most extensions. That, in turn, means that every extension user is at risk.

How does browser syncjacking happen? The first phase is profile hijacking: logging a victim into a Chrome profile managed by the attacker.

ADVERTISEMENT

Essentially, you create a domain and register a Google Workspace account to it. Then, you create multiple user profiles under that particular account and disable security features like MFA for these profiles.

Then, you create a functional browser extension and publish it on the Chrome Store. The extension will later be used as a medium to retrieve the credentials to these profiles.

chrome-hacker
Google Chrome. Image by Getty Images/SOPA Images.

Social engineering then pushes the user to discover the malicious extension. Seeing that it only has basic read/write capabilities available to the most popular extensions like Grammarly, Loom, and Calendly, the victim installs the extension.

It also works so the victim doesn’t suspect anything nefarious, and daily routines continue.

No telltale signs

But this is actually when the extension connects to the attacker’s domain and retrieves the victim’s credentials. In other words, the user is now logged onto a managed profile fully controlled by the attacker.

After initiating a profile sync, the attacker ensures that all locally stored data (passwords, browsing history, autofill information) are uploaded to the managed account.

Next, of course, the attacker turns the whole browser into a managed browser controlled by the attacker. This is achieved by generating an enrollment token to enrol the victim’s browser into their managed workspace, pushing the victim to believe they were installing a, for instance, Zoom update, and making them actually download an executable file.

zoom-malicious-file
Victims are pushed to install a bogus Zoom update. Courtesy of SquareX.
ADVERTISEMENT

The attacker gains full control over the victim’s browser, allowing them to silently access all web apps, install additional malicious extensions, redirect users to phishing sites, and monitor or modify file downloads.

In what should be especially concerning to companies, the attacker also gains access to all files stored on the company's Google Drive or One Drive.

“There is no telltale sign that a privilege escalation has occurred unless the victim is highly security aware and goes out of their way to regularly inspect their browser settings and look for associations with an unfamiliar Google Workspace account,” said SquareX.

“Thus, it is almost impossible for users to identify anything suspicious once the privilege escalation occurs.”

Extremely dangerous

Finally, the attacker hijacks the device. To do this, a registry entry to message native apps via the attacker’s extension is required. This can be downloaded together as part of the browser hijacking “Zoom” package or be part of a subsequent download initiated by the attacker once they hijack the browser.

It helps that Chrome’s Native Messaging protocol provides a bridge between the malicious extension and the local binary by allowing them to communicate through a registered manifest file and API calls like chrome.runtime.sendNativeMessage().

This legitimate mechanism is abused to establish persistent, bidirectional communication between the extension and the compromised binary, effectively bypassing browser sandboxing since Native Messaging runs with user permissions.

According to SquareX, this method of attack is extremely dangerous because most organizations operate without managed browsers or profiles.

Needless to say, the process is complicated – but not for an experienced hacker. Once device control is achieved, the attacker’s capabilities become virtually unlimited, SquareX says.

ADVERTISEMENT

That’s because the attacker who’s in control of the device can, of course, access file systems, modify them, do surveillance, and harvest the credentials (steal passwords, access crypto wallets, steal authentication tokens and cookies). Remote control is now possible, too.

According to SquareX, this method of attack is extremely dangerous because most organizations operate without managed browsers or profiles.

Besides, they usually have no visibility into their employees’ browser extension installations, which are often driven by trending tools and social media recommendations.

And even with managed browsers, security teams lack the capability to detect suspicious activity at runtime, the researchers say.

“This is especially worrying due to the unregulated nature of the space. Today, no identity verification is required to create a new Google Workspace account or publish extensions on the Chrome Store, nor does Google perform any additional checks on extensions requesting these permissions,” said SquareX.

The researchers said they have contacted Google to collaborate on a responsible disclosure because the problem can only be tackled with a browser-native solution that understands the runtime behavior of each extension.