Browser Synjacking could be the next big threat for enterprises

SquareX discloses a new attack technique which shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device.

Researchers from SquareX have discovered a new vulnerability in browsers which they believe could unleash a whole new scale of cyberattacks on enterprises. Given that everyone, be it consumers or enterprises rely on browsers, this new threat actor is capable of gaining full control of it.

SquareX researchers Dakshitaa Babu, Arpit Gupta, Sunkugari Tejeswara Reddy and Pankaj Sharma recently discovered how attackers are using malicious extensions on browsers to escalate privileges to conduct a full browser and device takeover, all with minimal user interaction.

According to the researchers, the malicious extension only requires read or write capabilities present in the majority of browser extensions on the Chrome Store, including common productivity tools like Grammarly, Calendly and Loom, desensitizing users from granting these permissions. As such, virtually any browser extension could potentially serve as an attack vector if created or taken over by an attacker. The researchers also pointed out that extensions submitted to the Chrome Store requesting these capabilities are not put through additional security scrutiny.

There are three different parts of browser syncjacking. First, is profile hijacking whereby when an employee installs a browser extension, the extension silently authenticates the victim into a Chrome profile managed by the attacker’s Google Workspace. This is all done in an automated manner in a background window, making the whole process almost imperceptible to the victim. Once this authentication occurs, the attacker has full control over the new managed profile in the victim’s browser, allowing them to push automated policies such as disabling safe browsing and other security features.

The adversary can also use social engineering attacks to exploit trusted domains and steal passwords from the victim’s browser. For example, the malicious extension can open and modify Google’s official support page on how to sync user accounts to prompt the victim to perform the sync with just a few clicks. Once the profile is synced, attackers have full access to all credentials and browse history stored locally. As this attack only leverages legitimate sites and has no visible sign that it has been modified by the extension, it will not trigger any alarm bells in any security solutions monitoring the network traffic.

Next, there is browser takeover, whereby the attacker converts the victim’s Chrome browser into a managed browser. The same extension monitors and intercepts a legitimate download, such as a Zoom update, and replaces it with the attacker’s executable, which contains an enrollment token and registry entry to turn the victim’s Chrome browser into a managed browser.

Once attackers gain full control over the victim’s browser, they can disable security features, install additional malicious extensions, exfiltrate data and even silently redirect users to phishing sites. This attack is extremely potent as there is no visual difference between a managed and unmanaged browser.

Lastly, there is device hijacking. Through the same downloaded file, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication. Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera, capture audio, record screens and install malicious software - essentially providing full access to all applications and confidential data on the device.

According to SquareX, browser syncjacking attack exposes a fundamental flaw in the way remote managed profiles and browsers are managed. As most enterprises currently have zero visibility into the browser such as managed browsers or profiles, nor any visibility to the extensions employees are installing, browser syncjacking could lead to severe consequences for organizations.

“What makes this attack particularly dangerous is that it operates with minimal permissions and nearly no user interaction, requiring only a subtle social engineering step using trusted websites - making it almost impossible for employees to detect,” said the researchers.

SquareX’s founder Vivek Ramachandran pointed out that the research exposes a critical blind spot in enterprise security .

“Traditional security tools simply can't see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn't just an option anymore, it's a necessity,” he said.

Ramachandran added that wiithout visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers.

“This attack technique demonstrates why security needs to 'shift up' to where the threats are actually happening: in the browser itself,” he concluded.