SquareX publishes research on attacks that completely bypass Secure Web Gateways at DEF CON’32.
Live Video Stream Stealer: SquareX researchers show how attackers bypass Google Chrome’s Manifest V3

Could a malicious extension lead to full browser and device takeover?


SquareX recently disclosed Browser Syncjacking, a new attack technique where a single malicious extension can be used to completely hijack the browser, and eventually, the whole device.

Download our Browser Security Extension Guide

Want to stop Browser Syncjacking and other extension-based attacks? Learn the best practices for defending your enterprise against malicious extensions in our guide.

looks good!
please enter your first name.
looks good!
please enter your company name.
looks good!
please provide a valid email address.
Looks good!
Please select a valid option
Looks good!
Please select a valid option

* these fields are required.

Browser Syncjacking: A Saga in Three Parts

The attack can be broken up into three parts: it starts with a malicious extension silently adding a Chrome profile managed by the attacker, hijacks the browser and eventually gains full control of the device.

Part 1: Profile Hijacking

The attack begins with an employee installing the malicious browser extension. The extension then “silently” authenticates a Chrome profile managed by the attacker’s Google Workspace in the victim’s browser. This alone allows the attacker to push policies that disables safe browsing and other security features. However, the real damage occurs when the attacker tricks the user into syncing Chrome with the managed Google profile, giving attackers full access to all credentials and browsing history stored locally.

Part 2: Browser Takeover

To further escalate privilege to a full browser takeover, the same extension monitors and intercepts a legitimate download, such as a Zoom update, and replaces it with the attacker’s executable, which contains an enrollment token and registry entry to turn the victim’s browser into a managed browser. Thinking that they downloaded a Zoom updater, the victim executes the file, which ends up installing a registry entry that turns the browser into a managed browser controlled by the attacker’s Google Workspace.

Part 3: Device Hijacking

With the same downloaded file above, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication. Once the connection is established, attackers can use the extension in conjunction with the local shell, essentially providing full access to all applications and confidential data on the device — including executing commands, secretly turning on cameras and microphones, recording keystrokes and other malicious activities.

Why is this attack especially potent?

Unless an organization chooses to completely block browser extensions via managed browsers, this attack will completely bypass existing blacklists and permissions-based policies. Here's why it's so potent:

Accessibility

Today, anyone can purchase a new domain, and associate it with a Google Workspace account. They can then create hundreds of managed profiles. The barrier to create a simple extension using AI tools and uploading them on the Chrome store is fairly low and accessible to all internet users. This makes it impossible to attribute these attacks.

Minimal Permissions

This attack only requires basic permissions which users are accustomed to and required by most browser extensions, including popular productivity tools like Grammarly, Loom and Calendly. Thus, virtually any extension on the browser could be used as a medium for this exploit. Also, since the malicious activity is only revealed at run time, static analysis tools won’t identify anything suspicious in the extension code.

Leverages Trusted Brands

The whole attack sequence, from syncing to downloading the malicious executable, only involves legitimate sites. Thus, it will not be flagged by any proxy-based solutions or URL filtering, nor will it raise any suspicion among victims, even if the content has been altered by the malicious extension.

Low Social Engineering & User Interaction

Unlike many extensions-based attacks which require elaborate social engineering, this attack only involves a small yet clever social engineering step. Much of the attack runs automatically with nearly no user interaction, giving the attacker control over the majority of the attack sequence once the extension is installed.

Lack of Visual Cues

For a regular user, there is no telltale sign that a privilege escalation has occurred. Unless the victim actively navigates to the Chrome profile regularly to check for managed profiles, there is no visible difference in the user interface once a managed profile is added. Similarly, there is no change in the user interface between a managed and unmanaged browser.

Full Device Takeover

Once device control is achieved, the attacker's capabilities become virtually unlimited. The attacker can exfiltrate confidential data from both web and native apps, turn on cameras and microphone for surveillance, disable security features and even install further malicious extensions or malware without the victim's permission.

The Solution: Browser Detection and Response

The malicious extensions used to execute Browser Syncjacking operate fully in the browser and cannot be identified by permissions or involved sites. Thus, the attack can only be mitigated with a browser-native solution that truly understands the runtime behaviour of each extension.

  • Highly Granular Extension-based Policies
  • Advanced Extension Static Analysis
  • Dynamic Analysis
  • Browser Extension Policy Library
  • Extension Risk Scores
  • Shadow SaaS & OAuth Access Control

Click below to request a pilot, or contact us at founder@sqrx.com to learn more.

Get Started