Hackers have To Be Twenty (Avere vent’anni)discovered a new way to remotely take control of your computer — all through the Google Chrome web browser.
A report from cybersecurity company SquareX lays out the new multifaceted cyberattack, which the firm has dubbed "browser syncjacking."
At the core of the attack is a social engineering element, as the malicious actor first must convince the user to download a Chrome extension. The Chrome extension is usually disguised as a helpful tool that can be downloaded via the official Chrome Store. It requires minimal permissions, further cementing its perceived legitimacy to the user. According to SquareX, the extension actually does usually work as advertised, in order to further disguise the source of the attack from the user.
Meanwhile, secretly in the background, the Chrome extension connects itself to a managed Google Workspace profile that the attacker has set up in advance. With the user now unknowingly signed into a managed profile, the attacker sends the user to a legitimate Google support page which is injected with modified content through the Chrome extension, telling the user they need to sync their profile.
When the user agrees to the sync, they unwittingly send all their local browser data, such as saved passwords, browsing history, and autofill information, to the hacker's managed profile. The hacker can then sign into this managed profile on their own device and access all that sensitive information.
The attack up to this point already provides the hacker with enough material to commit fraud and other illicit activities. However, browser syncjacking provides the hacker with the capability to go even further.
Using the teleconferencing platform Zoom as an example, SquareX explains that using the malicious Chrome extension, the attacker can send the victim to an official yet modified Zoom webpage that urges the user to install an update. However, the Zoom download that's provided is actually an executable file that installs a Chrome browser enrollment token from the hacker's Google Workspace.
After this occurs, the hacker then has access to additional capabilities and can gain access to the user's Google Drive, clipboard, emails, and more.
The browser syncjacking attack doesn't stop there. The hacker can take one further step in order to not just take over the victim's Chrome profile and Chrome browser, but also their entire device.
Through that same illicit download, such as the previously used Zoom update installer example, the attacker can inject a "registry entry to message native apps" by weaponizing Chrome’s Native Messaging protocol. By doing this, the attacker basically sets up a connection "between the malicious extension and the local binary." Basically, it creates a flow of information between the hacker's Chrome extension and your computer. Using this, the hacker can send commands to your device.
What can the hacker do from here? Pretty much anything they want. The attacker will have full access to the user's computer files and settings. They can create backdoors into the system. They can steal data such as passwords, cryptocurrency wallets, cookies, and more. In addition, they can track the user by controlling their webcam, take screenshots, record audio, and monitor everything input into the device.
As you can see, browser syncjacking is nearly completely unrecognizable as an attack to most users. For now, the most important thing you can do to protect yourself from such a cyberattack is to be aware of what you download and only install trusted Chrome extensions.
Topics Cybersecurity Google
In Paris Agreement speech, Trump never acknowledged the reality of global warming
Best earbud deal: Get a pair of Samsung Galaxy Buds3 Pro with a $20 Amazon gift card
Why is ChatGPT's Santa Mode only for ages 13 and up?
How to use Gmail's package
China just built the world's biggest floating solar project
Best Barnes and Noble gift card deal: Save $7.50 at Amazon
How to use Gmail's package
OpenAI brings video to ChatGPT Advanced Voice Mode
Watch Chappell Roan's Grammy acceptance speech demanding healthcare for artists
Charlotte Hornets vs. Chicago Bulls 2024 livestream: Watch NBA online
Trump's foreign aid freeze halts funding for digital diplomacy bureau
What's new to streaming this week? (Dec. 13, 2024)
YouTube TV is getting a big price hike in January
Best Barnes and Noble gift card deal: Save $7.50 at Amazon
Clean energy projects soared in 2016 as solar and wind got cheaper
The Onion has been denied bid to buy Alex Jones' InfoWars
Get 50% off gaming headsets at Best Buy
How Sora's AI videos will affect the future
Getting Started with Gmail Keyboard Shortcuts
United launches Apple AirTag
That Time I Tried to Scatter the Ashes of Every Dog I’ve Ever OwnedBlack Friday Nintendo deal: JoyWhat Louise Erdrich’s “The Blue Jay’s Dance” Taught Me About MotherhoodNow Online: Our Interviews with Claudia Rankine and Alasdair GrayHow to watch Oregon vs. USC football without cable: kickoff time, streaming deals, and moreBerlin's Cybrothel fulfills a fantasy — but may pose risksIs the TikTok trend dead?Samsung soundbar deal: Save 43% off at AmazonTalking to Madison Smartt Bell About His New Novel, “Behind the Moon”Why are 'doubloons' going viral on TikTok?“I am glad if I can type zer0s”: Endre Tót’s Mail ArtArchitects’ Gravesites: A Serendipitous GuideMary McCarthy SpeaksPoem: Sidney Wade, “Another Passionless Day”Architects’ Gravesites: A Serendipitous GuideQatar World Cup: FIFA says rainbow colors are allowed in stadiumsGustav Wunderwald Painted the Quieter Side of Weimar BerlinTalking to Michael Robbins About Poetry, Capitalism, and Taylor SwiftWordle today: The answer and hints for November 10'Scavengers Reign' is the best sci NASA's new solar eclipse photos rule How to cancel YouTube TV Darnella Frazier won a Pulitzer for her video of George Floyd's murder Marriage equality has finally become law in Australia, at last Christmas carol vibrator Cartoon character Snagglepuss has is own comic, and is officially gay New Line and Warner Bros. announce a new animated 'Lord of the Rings' film Beyoncé presents Colin Kaepernick with Muhammad Ali Legacy Award 'But I'm a Cheerleader' is the perfect fairytale for Pride Chance the Weatherman reports for duty 'In The Heights' is Hollywood going Bollywood in the best way Hubble catches sight of a beautifully swirling galaxy in flux The giant heads of 'Mount Recyclemore' highlight the world's e Have an old iPhone? You should really download this security update. DC officially won't let Batman go down on Catwoman, and Twitter is in an uproar Net neutrality protestors hit Verizon stores — including these two dudes in snowy Fairbanks, Alaska Ubisoft's parade of E3 2021 reveals: Mario + Rabbids, Avatar, and more Fitbit's smartwatch finally gets its first update Google to stop hiding full web addresses in Chrome browser China's Zhurong rover takes an adorable group selfie on Mars
2.1654s , 8229.6328125 kb
Copyright © 2025 Powered by 【To Be Twenty (Avere vent’anni)】,Miracle Information Network