David Bridges
Cybersecurity experts have uncovered a sophisticated method that allows hackers to remotely seize control of your computer through the widely used Google Chrome web browser. This alarming revelation comes from a detailed report by the cybersecurity firm SquareX, which has introduced the term “browser syncjacking” to describe this complex cyberattack.
At the heart of this nefarious attack lies a clever social engineering tactic. The malicious actor must first persuade the unsuspecting user to install a seemingly innocent Chrome extension. This extension is typically masked as a beneficial tool available on the official Chrome Store, and it requests only minimal permissions, which enhances its credibility in the eyes of the user. Notably, the extension often functions as advertised, further obfuscating the attacker’s true intentions.
While the user believes they are using a legitimate tool, the extension clandestinely connects to a managed Google Workspace account that the attacker has previously established. Once the user is unknowingly logged into this managed profile, they are redirected to a genuine Google support page. However, this page has been subtly altered through the malicious extension to prompt the user to synchronize their profile.
Upon agreeing to the sync request, the user inadvertently transmits sensitive local browser data, including saved passwords, browsing history, and autofill information, to the hacker’s managed profile. The hacker can then access this treasure trove of confidential information by logging into the managed profile from their own device, effectively compromising the user’s digital security.
Mashable Light Speed
Uncover How Hackers Exploit the Chrome Browser
The initial stages of the browser syncjacking attack already provide hackers with ample information for committing fraud or other illicit activities. However, this technique offers cybercriminals the ability to escalate their attacks even further.
For instance, SquareX illustrates the threat using the popular teleconferencing platform Zoom. Through the malicious Chrome extension, the hacker can redirect the victim to an official yet modified Zoom webpage, which prompts the user to install a crucial update. Unfortunately, the download link provided leads to an executable file that installs a Chrome browser enrollment token associated with the hacker’s Google Workspace account.
Once this installation is complete, the hacker gains access to a broader range of capabilities, including the ability to infiltrate the user’s Google Drive, access clipboard contents, read emails, and much more, significantly increasing the potential for data theft and exploitation.
Understanding the Full Scope of Device Takeover Risks
The browser syncjacking attack path does not conclude with merely compromising the Chrome profile and browser. The hacker can extend their reach to take over the victim’s entire device, presenting an even greater risk.
Through the same malicious download, such as the previously mentioned Zoom update installer, the attacker can inject a “registry entry to message native apps” by exploiting Chrome’s Native Messaging protocol. This nefarious method establishes a connection between the malicious extension and the local binary on the victim’s machine, creating a direct flow of information.
With this connection, the hacker gains the ability to send commands to the victim’s device. This level of access allows them to perform a myriad of malicious actions, including stealing sensitive data such as passwords, cryptocurrency wallets, cookies, and more. Additionally, the attacker can monitor the user by controlling their webcam, taking screenshots, recording audio, and tracking all input on the device, leading to a severe invasion of privacy.
As demonstrated, browser syncjacking can often remain undetected by the average user, making it particularly insidious. To safeguard against such cyberattacks, it is crucial to remain vigilant about what you download and to only install trusted Chrome extensions from reputable sources.
Topics
Cybersecurity
Google
var facebookPixelLoaded = false;
window.addEventListener(‘load’, function(){
document.addEventListener(‘scroll’, facebookPixelScript);
document.addEventListener(‘mousemove’, facebookPixelScript);
})
function facebookPixelScript() {
if (!facebookPixelLoaded) {
facebookPixelLoaded = true;
document.removeEventListener(‘scroll’, facebookPixelScript);
document.removeEventListener(‘mousemove’, facebookPixelScript);
!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;
n.push=n;n.loaded=!0;n.version=’2.0′;n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,
document,’script’,’//connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘1453039084979896’);
fbq(‘track’, “PageView”);
}
}
Daniel Mercer
