- 애널리스트들이 바라본 '트럼프의 100% 관세 위협'
- Explaining DeepSeek: The AI Disruptor That’s Raising Red Flags for Privacy and Security | McAfee Blog
- Revolutionizing data management: Trends driving security, scalability, and governance in 2025
- Microsoft AI investments cause cloud operating income growth to plunge
- This is the SSD enclosure I trust to keep my storage drive safe and cool when traveling
Syncjacking Attack Enables Full Browser and Device Takeover
Security researchers have warned of a new attack which could enable malicious extensions to gain full control of a targeted browser and device, with minimal user interaction.
SquareX said that, until now, the limitations that browser vendors place on the extension ecosystem were thought to make such an attack impossible.
However, a new “browser syncjacking” technique appears to debunk this assumption.
It consists of three stages.
First, an employee unwittingly installs a malicious extension, which then covertly authenticates them into a Chrome profile managed by the attacker’s Google Workspace.
Once this authentication occurs, the attacker gains full control over the new managed profile in the victim’s browser, enabling them to push automated policies such as disabling safe browsing and other security features, SquareX explained.
Read more on browser threats: Dozens of Chrome Browser Extensions Hijacked by Data Thieves
The threat actor could then escalate the attack, by socially engineering them to sync their profile – for example by modifying a legitimate Google support page on syncing accounts. Once the profile is synced, the adversary will get full access to their locally stored credentials and browsing history.
The second stage involves full browser takeover. The malicious extension monitors for a legitimate download and intercepts it, replacing it with a malicious executable. This contains an enrolment token and registry entry designed to turn the victim’s Chrome browser into a managed browser.
In this way, the attacker gains full control over the victim’s browser, with the user completely unaware. With this control, they could exfiltrate data, redirect the user to phishing sites, disable security features and install additional malicious extensions, SquareX warned.
Device Hijacking Made Simple
A third stage enables device hijacking.
“With the same downloaded file above, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication,” SquareX continued.
“Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera, capture audio, record screens and install malicious software – essentially providing full access to all applications and confidential data on the device.”
Attribution is impossible because anyone can currently create a managed workspace account tied to a new domain and a browser extension, without needing to go through identity verification, said the vendor.
SquareX’s founder, Vivek Ramachandran, argued that the attack technique exposes a blind spot in enterprise security, with most organizations having no visibility into the browser extensions their employees download.
“Traditional security tools simply can’t see or stop these sophisticated browser-based attacks,” he added.
“What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDR and SASE/SSE secure web gateways.”
