FlagThis

SquareX has revealed a new attack method called "Browser Syncjacking" which exploits browser synchronization features to give attackers full control over a user's browser and device. This technique uses malicious browser extensions to hijack a user's browser by silently adding a profile managed by the attacker, essentially granting them complete access and control of the system. The attack starts when a user installs a seemingly innocuous extension, which could be disguised as an AI tool or even a popular extension already with millions of users.

The malicious extension then automatically authenticates the victim into a Chrome profile controlled by the attacker's Google Workspace. This method does not require any additional permissions from the user above read/write capabilities that most browser extensions already request. Experts from SquareX demonstrated how this enables attackers to escalate privileges and conduct a total browser and device takeover with minimal user interaction. This discovery suggests that any browser extension could be a potential attack vector as these extensions are not put through additional security scrutiny.


References :

• ciso2ciso.com: SquareX Discloses “Browser Syncjackingâ€� , a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk – Source:hackread.com
• : SquareX Discloses “Browser Syncjackingâ€� , a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk – Source:hackread.com
• hackread.com: SquareX Unveils "Browser Syncjacking" Attack Granting Full Browser and Device Control
• ciso2ciso.com: News alert: SquareX discloses ‘Browser Syncjacking’ – a new attack to hijack browser – Source: www.lastwatchdog.com

Classification:

• HashTags: #BrowserSecurity #Syncjacking #CyberAttack
• Company: SquareX
• Target: Browsers
• Product: Browser Extensions
• Feature: Browser Syncjacking
• Type: Hack
• Severity: Major