New Syncjacking Attack Hijacks Devices Using Chrome Extensions
Summary:
A new attack technique dubbed Browser Hijacking was uncovered by security researchers at SquareX that enables a seemingly benign Chrome extension to take over a victim’s device. This involves several steps, including Google profile hijacking, and browser hijacking, which eventually lead to device takeover. The only user hands-on-keyboard interaction required to perform attacks like this is convincing the victim to install what purports to be a legitimate Chrome extension.
The attack begins with the creation of a malicious Google Workspace domain where the attacker sets up multiple user profiles with security features such as multi-factor authentication disabled. This Workspace domain creates a managed profile on the victim’s device. A browser extension, made to appear as a useful tool with legitimate functionality, is then published on the Chrome Web Store. Utilizing social engineering tactics, the attacker tricks the victim into installing the extension, which then quietly logs them into one of the attacker's managed Google Workspace profiles in a hidden browser window running in the background. The extension then opens a legitimate Google support page. As it has Read and Write privileges to webpages, it injects content into the page, telling the user to enable Chrome sync. After syncing, all stored browser data becomes accessible to the attacker on their own device using the compromised profile. The attacker then moves to take over the browser, which, in SquareX's demo, is done through a fake Zoom update. In this particular scenario, a person may receive a Zoom invite, and when they click it and go to the Zoom webpage, the extension will instead inject malicious content stating that the Zoom client needs to be updated. However, this download is an executable file containing an enrollment token, giving the attackers complete control over the victim's browser. Once enrolled, the attacker gains full control over the victim's browser, allowing them a slew of malicious capabilities.
Security Officer Comments:
The recent news of OAuth attacks targeting Chrome extension developers has highlighted the security risks of browser extensions as a critical threat to enterprise security. Although this is a multiple-stage malware delivery, this attack is stealthy, as it requires minimal permissions. SquareX highlights the stealth and potent nature of the attack, underlining how difficult it would be for most users to recognize they are under attack. Chrome extensions are often perceived as isolated risks, but a wave of browser hijacking detailed by Cyberhaven impacting at least 35 legitimate extensions reinforces that they are not always isolated risks.
Suggested Corrections:
Given that these extensions operate fully in the browser and cannot be identified by permissions or involved sites, it can only be tackled with a browser-native solution with Static and Dynamic analysis that understands the runtime behavior of each extension. Organizations are recommended to implement a risk-scoring system that integrates behavior data, public reviews, historical performance, publisher reputation, and aggregated security research to create a centralized feed of information for defenders.
Link(s):
https://www.bleepingcomputer.com/news/security/new-syncjacking-attack-hijacks-devices-using-chrome-extensions/
https://labs.sqrx.com/browser-syncjacking-cc602ea0cbd0
A new attack technique dubbed Browser Hijacking was uncovered by security researchers at SquareX that enables a seemingly benign Chrome extension to take over a victim’s device. This involves several steps, including Google profile hijacking, and browser hijacking, which eventually lead to device takeover. The only user hands-on-keyboard interaction required to perform attacks like this is convincing the victim to install what purports to be a legitimate Chrome extension.
The attack begins with the creation of a malicious Google Workspace domain where the attacker sets up multiple user profiles with security features such as multi-factor authentication disabled. This Workspace domain creates a managed profile on the victim’s device. A browser extension, made to appear as a useful tool with legitimate functionality, is then published on the Chrome Web Store. Utilizing social engineering tactics, the attacker tricks the victim into installing the extension, which then quietly logs them into one of the attacker's managed Google Workspace profiles in a hidden browser window running in the background. The extension then opens a legitimate Google support page. As it has Read and Write privileges to webpages, it injects content into the page, telling the user to enable Chrome sync. After syncing, all stored browser data becomes accessible to the attacker on their own device using the compromised profile. The attacker then moves to take over the browser, which, in SquareX's demo, is done through a fake Zoom update. In this particular scenario, a person may receive a Zoom invite, and when they click it and go to the Zoom webpage, the extension will instead inject malicious content stating that the Zoom client needs to be updated. However, this download is an executable file containing an enrollment token, giving the attackers complete control over the victim's browser. Once enrolled, the attacker gains full control over the victim's browser, allowing them a slew of malicious capabilities.
Security Officer Comments:
The recent news of OAuth attacks targeting Chrome extension developers has highlighted the security risks of browser extensions as a critical threat to enterprise security. Although this is a multiple-stage malware delivery, this attack is stealthy, as it requires minimal permissions. SquareX highlights the stealth and potent nature of the attack, underlining how difficult it would be for most users to recognize they are under attack. Chrome extensions are often perceived as isolated risks, but a wave of browser hijacking detailed by Cyberhaven impacting at least 35 legitimate extensions reinforces that they are not always isolated risks.
Suggested Corrections:
Given that these extensions operate fully in the browser and cannot be identified by permissions or involved sites, it can only be tackled with a browser-native solution with Static and Dynamic analysis that understands the runtime behavior of each extension. Organizations are recommended to implement a risk-scoring system that integrates behavior data, public reviews, historical performance, publisher reputation, and aggregated security research to create a centralized feed of information for defenders.
Link(s):
https://www.bleepingcomputer.com/news/security/new-syncjacking-attack-hijacks-devices-using-chrome-extensions/
https://labs.sqrx.com/browser-syncjacking-cc602ea0cbd0