New Syncjacking Attack Hijacks Devices Using Chrome Extensions

A new cyberattack method called ‘Browser Syncjacking’ has emerged, demonstrating how hackers can hijack devices through seemingly benign Chrome extensions. Discovered by security researchers at SquareX, this attack involves a multi-stage process that begins with Google profile hijacking, progresses to browser hijacking, and ultimately results in complete device takeover.

Despite its complexity, the attack remains highly stealthy, requiring minimal permissions and almost no victim interaction beyond installing what appears to be a legitimate Chrome extension.

The Syncjacking Attack Process

The attack starts with the creation of a malicious Google Workspace domain, where the attacker sets up multiple user profiles with security features such as multi-factor authentication disabled. This Workspace domain will later serve as the basis for creating a managed profile on the victim’s device.

Once the infrastructure is ready, the attacker publishes a browser extension on the Chrome Web Store, disguising it as a useful tool with seemingly legitimate functionality. Through social engineering tactics, the victim is tricked into installing this extension, which silently logs them into one of the attacker’s managed Google Workspace profiles via a hidden browser window running in the background.

After installation, the extension launches a legitimate Google support page. Since it has Read and Write privileges to webpages, it injects content into the page, instructing the victim to enable Chrome sync. If the victim follows the prompt and enables syncing, all stored data, including passwords and browsing history, become accessible to the attacker, who can now use the compromised profile on their own device.

Escalation to Full Browser Hijacking

With control over the victim’s profile, the attacker then escalates their access to hijack the entire browser. In SquareX’s demonstration, this was done through a fake Zoom update prompt.

For example, the victim might receive a Zoom meeting invite. Upon clicking the link and navigating to the Zoom webpage, the malicious extension injects misleading content, falsely stating that the Zoom client needs an update. The provided download, however, is actually an executable file that contains an enrollment token.

Once executed, this token allows the attacker to fully enroll the victim’s browser into their Google Workspace. At this stage, the attacker gains unrestricted control, enabling them to:

• Silently access all web applications
• Install additional malicious extensions
• Redirect users to phishing sites
• Monitor and modify file downloads
• Execute arbitrary commands on the victim’s operating system
• Capture keystrokes and extract sensitive data
• Activate the webcam and microphone

Through Chrome’s Native Messaging API, the attacker can establish a direct communication channel between the malicious extension and the victim’s device, further extending their control beyond the browser.

The Dangers of Syncjacking

Syncjacking is particularly dangerous due to its stealthy nature. Unlike previous extension-based attacks that required elaborate social engineering techniques, this method relies on minimal user interaction. The victim’s browser is hijacked without any clear warning signs.

“Unless the victim is extremely security paranoid and technically savvy enough to constantly navigate Chrome settings to check for managed browser labels, there is no real visual indication that a browser has been hijacked,” the SquareX researchers explained.

This new form of attack highlights a growing security concern: Chrome extensions are often underestimated as potential threats. Recent incidents, including a wave of hijacks affecting legitimate extensions used by millions of users, prove that browser add-ons can be weaponized for cyber espionage and malware distribution.

Google’s Response and Security Recommendations

BleepingComputer has contacted Google for comments on the Syncjacking attack and is awaiting a response.

In the meantime, cybersecurity experts recommend several precautions to protect against such attacks:

Avoid Installing Unverified Extensions — Only install Chrome extensions from reputable developers and check user reviews before installation.

Regularly Review Installed Extensions — Periodically audit browser extensions to ensure that no unauthorized add-ons are present.

Disable Automatic Syncing — Consider disabling Chrome Sync, especially on devices that handle sensitive information.

Check for Managed Profiles — In Chrome settings, look for indications that your browser is being managed by an organization. If you see this and didn’t enable it yourself, it may be a sign of compromise.

Use Multi-Factor Authentication (MFA) — Enable MFA on all Google accounts to add an extra layer of security against unauthorized access.

Keep Software Updated — Ensure that your browser and security tools are up to date to mitigate vulnerabilities.

A Growing Threat in the Cybersecurity Landscape

Syncjacking is a sophisticated attack that leverages seemingly innocuous Chrome extensions to gain full control over victims’ devices. It underscores the importance of remaining vigilant about browser security, as well as the potential risks posed by third-party extensions.

As attackers continue to refine their methods, individuals and organizations must adopt stricter security measures to protect against such evolving threats. While browser-based attacks may often seem less critical compared to traditional malware, the Syncjacking attack proves that browser security should be a top priority in today’s digital landscape.