Google Chrome users warned of Browser Syncjacking threat.
Google has been working to assure users that the Chrome browser is secure and safe to use, with three security updates in just three weeks. Despite a surprise decision to open a new enterprise web store to help protect against the security threat from malicious extensions, new research has just revealed that any Chrome browser extension can be used to compromise your device. Here’s what you need to know.
The Chrome Browser Extension Security Problem
As I reported Dec. 29, hackers using compromised Chrome browser extensions to bypass two-factor authentication protections were ongoing. At least 35 companies had their Chrome extensions replaced with malicious versions in what appeared to be a coordinated hacking campaign of some sophistication and reach. At the time, the Google Chrome Security team said that users were protected by various methods, including a personalized summary of all installed extensions, strict reviewing policies before extensions get published, and continuous monitoring of them afterward. “If the team finds that an extension poses a severe risk to Chrome users,” Google said, “it’s immediately removed from the Chrome Web Store, and the extension gets disabled on all browsers that have it installed.”
Now, SquareX Labs researchers have confirmed that “a full browser and device takeover is possible with browser extensions,” and not just malicious ones either; the hack “only requires basic read/write capabilities present in most extensions,” which puts the “extension user at risk to browser syncjacking attack.”
Chrome Extension Syncjacking Attack Methodology
Chrome browser syncjacking attacks occur across three phases: profile, browser and device hijacking. But let’s start at the beginning, with the attack preparation. This requires the hacker to first register a domain to a Google Workspace account and then disable 2FA protections. A functional web browser extension is then created and published to the Chrome store which will be used later to retrieve these profile credentials. The extension is pushed onto the victim using any of the existing myriad phishing techniques. “Seeing that it only has basic read/write capabilities available to most popular extension,” the researchers said, “the victim installs the extension,” assuming it is safe. “Over time,” they continued, “the extension’s presence fades into the background as the victim returns to their daily routine.”
At some point in the near future, the extension connects to the domain registered earlier, grabs the credentials and completes the steps to log the victim into one of the previously created accounts. The result here is that the user is now connected to a profile managed by the attacker, enabling them to disable security measures to make the browser more open to attack. This is where things get really interesting.
“The attacker opens up Chrome’s legitimate support page on sync,” the researchers said, “and uses the malicious extension to modify the content on the page, convincing the victim to complete the sync.” And, boom: all locally stored data, which includes Chrome passwords and browsing history, now get uploaded to the hacker-controlled account. But it gets even worse, the researchers said, “The next step involves turning the whole browser into a managed browser controlled by the attacker.” This before finally taking over the entire device.
Mitigating The Chrome Syncjacking Attacks
The browser syncjacking attack is particularly dangerous, the SquareX Labs report warned, because, unlike the previously reported extension attacks requiring elaborate social engineering, “adversaries need only minimal permissions and a small social engineering step, with nearly no user interaction required to execute this attack.” To mitigate the attacks, SquareX recommends the use of a browser-native solution that understands the runtime behavior of every extension, as these Chrome extensions operate entirely in the browser and so cannot be identified by permissions or the sites involved. I have reached out to Google for a statement.