The Good Tech Companies - SquareX Discloses “Browser Syncjacking” , a New Attack Technique That Puts Millions At Risk
Episode Date: January 30, 2025This story was originally published on HackerNoon at: https://hackernoon.com/squarex-discloses-browser-syncjacking-a-new-attack-technique-that-puts-millions-at-risk. How...ever, until now, due to the limitations browser vendors place on the extension subsystem and extensions, it was thought to be impossible for extensions to ga Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #cybersecurity, #squarex, #cybernewswire, #press-release, #squarex-announcement, #cyber-threats, #cyber-security-awareness, #good-company, and more. This story was written by: @cybernewswire. Learn more about this writer by checking @cybernewswire's about page, and for more stories, please visit hackernoon.com. SquareX reveals a new attack technique that shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device. The attack begins with an employee installing any browser extension. The extension then “silently” authenticates the victim into a Chrome profile managed by the attacker’s Google Workspace.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Square X discloses, Browser Syncjacking, A New Attack Technique That Puts Millions At Risk,
By Cyber Newswire.
Palo Alto, USA, January 30, 2025, Cyber Newswire, Square X discloses a new attack technique that
shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device. Browser extensions have been under the spotlight
in enterprise security news recently due to the wave of OAuth attacks on Chrome extension
developers and data exfiltration attacks. However, until now, due to the limitations
browser vendors place on the extension subsystem and extensions, it was thought to be impossible for extensions to gain full control of the browser, much less the device.
Squarex researchers Dakshi Dababu, Arpit Gupta, Sankugari Tejaswara Reddy and Pankaj Sharma
debunked this belief by demonstrating how attackers can use malicious extensions to
escalate privileges to conduct a full browser and device takeover, all with minimal user interaction.
Critically, the malicious extension only requires read-write capabilities present in the majority of browser extensions on the Chrome store, including common productivity tools like Grammarly,
Calendly and Loom, desensitizing users from granting these permissions.
This revelation suggests that virtually any browser extension could potentially serve as
an attack vector if created or taken over by an attacker. To the best of our understanding,
extensions submitted to the Chrome store requesting the set capabilities are not put
through additional security scrutiny at the time of this writing. The browser sync jacking attack
can be broken up into three parts. How the extension silently adds a profile managed by the attacker,
hijacks the browser and eventually gains full control of the device.
Profile hijacking the attack begins with an employee installing any browser extension.
This could involve publishing one that masquerades as an AI tool or taking over
existing popular extensions that may have up to millions of installations in aggregate.
The extension then, silently,
authenticates the victim into a Chrome profile managed by the attacker's Google workspace.
This is all done in an automated manner in a background window, making the whole process almost imperceptible to the victim. Once this authentication occurs, the attacker has full
control over the newly managed profile in the victim's browser, allowing them to push automated policies such as disabling safe browsing and other security features. Using a very clever social
engineering attack that exploits trusted domains, the adversary can then further escalate the
profile-hijacking attack to steal passwords from the victim's browser. For example, the malicious
extension can append and modify Google's official support page on how to sync user accounts to prompt the victim to perform the sync with just a few
clicks.
Once the profile is synced, attackers have full access to all credentials and browsing
history stored locally.
As this attack only leverages legitimate site SAND has no visible sign that it has been
modified by the extension, it will not trigger any alarm bells in any security solutions monitoring the network traffic. Browser Takeo Veer To achieve a full browser takeover,
the attacker essentially needs to convert the victim's Chrome browser into a managed browser.
The same extension monitors and intercepts a legitimate download, such as a Zoom update,
and replaces it with the attacker's executable, which contains an enrollment token and registry
entry to turn the victim's Chrome browser into a managed browser. Thinking that they downloaded a
Zoom updater, the victim executes the file, which ends up installing a registry entry that instructs
the browser to become managed by the attacker's Google workspace. This allows the attacker to
gain full control over the victim's browser to disable security features, install additional malicious extensions, exfiltrate data and even silently redirect
users to phishing sites. This attack is extremely potent as there is no visual difference between a
managed and unmanaged browser. For a regular user, there is no telltale sign that a privilege
escalation has occurred unless the victim is highly security aware and goes out of their way to regularly inspect their browser settings and look for associations with an
unfamiliar Google Workspace account. Device hijacking with the same downloaded file above,
the attacker can additionally insert registry entries required for the malicious extension
to message native apps. This allows the extension to directly interact with local apps without
further authentication. Once the connection is established, attackers can use the extension to directly interact with local apps without further authentication.
Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera,
capture audio, record screens and install malicious software,
essentially providing full access to all applications and confidential data on the device.
The browser sync jacking attack exposes
a fundamental flaw in the way remote managed profiles and browsers are managed. Today,
anyone can create a managed workspace account tied to a new domain in a browser extension
without any form of identity verification, making it impossible to attribute these attacks.
Unfortunately, most enterprises currently have zero visibility into
the browser most do not have managed browsers or profiles, nor any visibility to the extensions
employees are installing often based on trending tools and social media recommendations.
What makes this attack particularly dangerous is that it operates with minimal permissions
and nearly no user interaction, requiring only a subtle social engineering step using trusted websites,
making it almost impossible for employees to detect. While recent incidents like the
Cyberhaven breach have already compromised hundreds, if not thousands of organizations,
those attacks required relatively complex social engineering to operate.
The devastatingly subtle nature of this attack, with an extremely low threshold of user interaction,
not only makes this attack extremely potent, but also sheds light on the terrifying possibility
that adversaries are already using this technique to compromise enterprises today.
Unless an organization chooses to completely block browser extensions via managed browsers,
the browser-sync jacking attack will completely bypass existing blacklists and permissions-based policies. Greater than Squarex's founder Vivek Ramachandran says, this research exposes a
critical greater-than-blind spot in enterprise security. Traditional security tools simply can't
see greater-than-or-stop these sophisticated browser-based attacks. What makes this discovery
greater-than-particularly alarming is how it weaponizes seemingly innocent browser greater-than-extensions into complete device takeover tools,
all while flying under the greater-than radar of conventional security measures like EDRs and
SASE, SSE Secure Web, Gateways. A browser detection response solution isn't just an
option anymore to its necessity. Without visibility and control at the browser level,
greater-than
organizations are essentially leaving their front door wide open to attackers.
Greater-than-this-attack technique demonstrates why security needs to
shift up to where greater-than-the-threats are actually happening, in the browser itself.
Squarex has been conducting pioneering security research on browser extensions,
including the DEF CON 32 Talk Sneaky extensions,
the MV3 escape artists that revealed multiple MV3-compliant malicious extensions.
This research team was also the first to discover and disclose the OAuth attack on Chrome extension
developers one week before the Cyberhaven breach. SquareX was also responsible for the discovery of
last-mile reassembly attacks,
a new class of client-side attacks that exploits architectural flaws and completely bypasses all secure web gateway solutions. Based on this research, Square X's industry-first browser
detection and response solution protects enterprises against advanced extension-based
attacks including device hijacking attempts by conducting dynamic analysis on all browser
extension activity
at runtime, providing a risk score to all active extensions across the enterprise and further
identifying any attacks that they may be vulnerable to. For more information about the browser sync
jacking attack, additional findings from this research are available at sqrx.com. Research
about SquareX SquareX helps organizations detect, mitigate and threat hunt
client-side web attacks happening against their users in real time. SquareX's industry-first
browser detection and response, BDR, solution, takes an attack-focused approach to browser
security, ensuring enterprise users are protected against advanced threats like malicious QR codes,
browser-in-the-browser phishing, macro-based malware and other web attacks encompassing malicious files,
websites, scripts, and compromised networks. Additionally, with SquareX, enterprises can
provide contractors and remote workers with secure access to internal applications,
enterprise SaaS, and convert the browsers on BYOD unmanaged devices into trusted browsing sessions.
Contact head of PR Junus Liu Squarex Junus at sqrx.com.
Tip This story was distributed as a release by CyberNewsWire under HackerNoon's business
blogging program. Learn more about the program here.
Thank you for listening to this HackerNoon story, read by Artificial Intelligence.
Visit HackerNoon.com to read, write, learn and publish.