A new type of attack method called “browser sync hijacking” (Browser Syncjacking) demonstrates how to take control of the victim's device by using seemingly harmless Chrome extensions.
This attack method was discovered by the security researchers of SquareX, involving multiple steps including hijacking Google accounts, browsers, and ultimately achieving complete control of the device. Although the attack process is divided into multiple stages, its stealthiness is extremely high, requiring minimal permissions, and almost no action from the victim is required, just installing a seemingly legitimate Chrome extension.
Steps of sync hijacking attack
1. 创建malicious Google Workspace域
The attack begins with the creation of a malicious Google Workspace domain. The attacker sets up multiple user profiles in this domain and disables security features such as two-factor authentication. This Workspace domain will be used in the background to create a hosted configuration file on the victim's device.
2. 发布伪装成legitimate tool的extension
Subsequently, the attacker publishes an extension in the Chrome Web Store that appears to be a useful tool. This extension appears to be legitimate, but in fact, it hides malicious code.
3. 诱骗user安装extension
Through social engineering tactics, the attacker deceives the victim into installing the extension. After installation, the extension will silently log the victim into the Google Workspace hosted configuration file controlled by the attacker in the background.
4. Inject malicious content and诱骗sync
The extension will then open a legitimate Google support page. Due to the extension's read and write permissions on web pages, it will inject content into the page to prompt the user to enable the Chrome sync feature.
The victim chooses to synchronize their browser configuration filesSource: SquareX
Once synchronization is complete, all stored data, including passwords and browsing history, will be obtained by the attacker. The attacker can use the hijacked profile on their own device.
Add the victim to the hosted Google WorkspaceSource: SquareX
5. Take over the browser
After taking control of the victim's profile, the attacker starts taking over the browser. In SquareX's demonstration, this was done through a fake Zoom update.
Prompt the victim to install a fake Zoom updateSource: SquareX
Researchers point out that the victim may receive a Zoom invitation, and when clicking on it to enter the Zoom web page, the extension will inject malicious content prompting the need to update the Zoom client. However, the downloaded file is actually an executable file containing a registration token, allowing the attacker to completely control the victim's browser.
“Once the registration is complete, the attacker will gain complete control over the victim's browser, allowing silent access to all web applications, installing additional malicious extensions, redirecting users to phishing websites, monitoring/modifying file downloads, and more,” SquareX researchers explain.
6. Exploit Chrome's Native Messaging API
By exploiting Chrome's Native Messaging API, attackers can establish a direct communication channel between malicious extensions and the victim's operating system. This allows them to browse directories, modify files, install malware, execute arbitrary commands, capture keyboard input, extract sensitive data, and even activate cameras and microphones.
Access the victim's Drive contentSource: SquareX
Stealthiness and harm of the attack
SquareX emphasizes the stealthiness and severe危害性 of this attack, pointing out that most users find it difficult to detect anomalies. “Unlike previous extension attack that required complex social engineering, this attack requires minimal permissions and simple social engineering steps, and can be executed almost without user interaction,” the report describes.
“Unless the victim is extremely paranoid about security and has sufficient technical ability to constantly check the Chrome settings for tags of the hosted browser, there are almost no obvious visual signs that the browser has been hijacked.”
Chrome extensions are usually considered isolated risks, but recent events (such as legitimate extensions used by millions of users being hijacked) indicate that this risk is far greater than imagined.
BleepingComputer has contacted Google about this new attack and will update the report if a response is received.
Reference source:
New Syncjacking attack hijacks devices using Chrome extensions
评论已关闭