3 min Security

Taking over browsers via ‘syncjacking’: what is it?

Taking over browsers via ‘syncjacking’: what is it?

Attacks via browser extensions have been possible for a while. New research now reveals a method by which malicious actors can take over an entire device directly from the browser.

These findings come from SquareX, which previously raised concerns about dangerous extensions. The researchers describe a method that initially looks very similar to previous attacks but ultimately leads to far bigger problems.

Silent switch trick

The attack hinges on installing a malicious extension. This can happen more quickly than one might think, since users often fail to notice that a once-trusted tool remains installed—even if its maintenance has ended up under someone with ill intent.

Next, the extension executes a silent switch trick: it automatically signs the user into a rogue Chrome profile within the attacker’s Google Workspace. Security features such as Safe Browsing are disabled, and once the unsuspecting user’s profile is synchronized, the attacker can inflict even worse damage. Achieving actual synchronization requires some persuasion: SquareX mentions launching Google’s support page about syncing browser accounts. Users are quick to follow such a prompt, which then makes their credentials accessible elsewhere. All of this happens without ever triggering a security alert, since no malicious link was accessed.

Further damage

Escalating to a full browser takeover involves more steps. A user’s Chrome browser, for example, must be converted into a managed browser. Once that happens, a legitimate update to a tool like Zoom can be replaced with a new malicious payload, the SquareX researchers note. From there, attackers can operate on the victim’s device after escalating their privileges.

For instance, the browser extension can communicate with a local shell and native applications to switch on the camera, record audio or screens, or install other malicious software. In short, Pandora’s box has been opened at this stage.

SquareX argues that several oversights have led to this “syncjacking” threat. For example, managed browsers should be clearly distinguishable from normal browsers so that even non-technical users can spot the difference. Also, anyone can currently link a Workspace account to a new domain without requiring any form of authentication. Beyond that, the browser is a particularly vulnerable piece of an organization’s ecosystem, as it often goes unmonitored by standard security tools. Extensions, in particular, are not typically tracked by software businesses normally have installed. Worst of all, victims generally remain unaware of any attack until it is too late.

The result is a blind spot for enterprise security, says SquareX founder Vivek Ramachandran. “Traditional
security tools simply can’t see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn’t just an option anymore – it’s a necessity. Without visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers. This attack technique demonstrates why security needs to ‘shift up’ to where the threats are actually happening: in the browser itself.”

Also read: Chrome extensions remain dangerous even after Google’s Manifest V3