Millions Of Google Chrome Users Warned As Syncjacking Hack Gets Real – Forbes
Google Chrome users warned of Browser Syncjacking threat.Google has been working to assure users that the Chrome browser is secure and safe to use, with three security updates in just three weeks. Despite a surprise decision to open a new enterprise web store to help protect against the security threat from malicious extensions, new research has just revealed that any Chrome browser extension can be used to compromise your device. Here’s what you need to know.As I reported Dec. 29, hackers using compromised Chrome browser extensions to bypass two-factor authentication protections were ongoing. At least 35 companies had their Chrome extensions replaced with malicious versions in what appeared to be a coordinated hacking campaign of some sophistication and reach. At the time, the Google Chrome Security team said that users were protected by various methods, including a personalized summary of all installed extensions, strict reviewing policies before extensions get published, and continuous monitoring of them afterward. “If the team finds that an extension poses a severe risk to Chrome users,” Google said, “it’s immediately removed from the Chrome Web Store, and the extension gets disabled on all browsers that have it installed.”Now, SquareX Labs researchers have confirmed that “a full browser and device takeover is possible with browser extensions,” and not just malicious ones either; the hack “only requires basic read/write capabilities present in most extensions,” which puts the “extension user at risk to browser syncjacking attack.”Chrome browser syncjacking attacks occur across three phases: profile, browser and device hijacking. But let’s start at the beginning, with the attack preparation. This requires the hacker to first register a domain to a Google Workspace account and then disable 2FA protections. A functional web browser extension is then created and published to the Chrome store which will be used later to retrieve these profile credentials. The extension is pushed onto the victim using any of the existing myriad phishing techniques. “Seeing that it only has basic read/write capabilities available to most popular extension,” the researchers said, “the victim installs the extension,” assuming it is safe. “Over time,” they continued, “the extension’s presence fades into the background as the victim returns to their daily routine.”At some point in the near future, the extension connects to the domain registered earlier, grabs the credentials and completes the steps to log the victim into one of the previously created accounts. The result here is that the user is now connected to a profile managed by the attacker, enabling them to disable security measures to make the browser more open to attack. This is where things get really interesting.“The attacker opens up Chrome’s legitimate support page on sync,” the researchers said, “and uses the malicious extension to modify the content on the page, convincing the victim to complete the sync.” And, boom: all locally stored data, which includes Chrome passwords and browsing history, now get uploaded to the hacker-controlled account. But it gets even worse, the researchers said, “The next step involves turning the whole browser into a managed browser controlled by the attacker.” This before finally taking over the entire device.The browser syncjacking attack is particularly dangerous, the SquareX Labs report warned, because, unlike the previously reported extension attacks requiring elaborate social engineering, “adversaries need only minimal permissions and a small social engineering step, with nearly no user interaction required to execute this attack.” To mitigate the attacks, SquareX recommends the use of a browser-native solution that understands the runtime behavior of every extension, as these Chrome extensions operate entirely in the browser and so cannot be identified by permissions or the sites involved. I have reached out to Google for a statement. One Community. Many Voices. Create a free account to share your thoughts. Our community is about connecting people through open and thoughtful conversations. We want our readers to share their views and exchange ideas and facts in a safe space.In order to do so, please follow the posting rules in our site’s Terms of Service. We’ve summarized some of those key rules below. Simply put, keep it civil.Your post will be rejected if we notice that it seems to contain:User accounts will be blocked if we notice or believe that users are engaged in:So, how can you be a power user?Thanks for reading our community guidelines. Please read the full list of posting rules found in our site’s Terms of Service.
