![\"Browser](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2025\/01\/bp-1.png\")
Once the extension has been installed, it will open a hidden window where it will authenticate a user profile that was created on the attacker’s Google workspace account. It will then change to that profile which will automatically bring the user to the official<\/strong> support.google.com page where google will ask the user to turn on chrome sync. If the user turn on google sync then all of their local data including browsing history passwords extensions and so on gets mapped to the profile that was logged in and connected to the attackers google workspace. All the attacker has to do is log into the same profile.<\/p>\n\n\n\n It is important to note that at this point the user is already fully compromised. The only alarm here would be the profile icon changing, but with some reconnaissance and social engineering the attacker can customize this. This is made easier when the target is enterprise related as those usually use the default icon.<\/p>\n\n\n\n The next step is taking over the user’s entire Chrome browser and making it a “managed” browser under the attacker’s google workspace. This is done by creating enrollment tokens using the attackers google workspace account which is then packaged into and executable along with two registry entries; the first registry entry is to make the Chrome browser “managed”, and the second registry entry is to allow “Native Messaging” through a specific extension ID. In this case the executable is made to look very similar to the official Zoom installer, we can imagine that with more information this can be customized for the target and made to look like a different app that the user is more likely to “install” or “update”.<\/p>\n\n\n\n Using the zoom example, the next time the user receives a zoom link, the extension redresses the UI to make it appear that the victim’s Zoom requires an update. Again because this is on the when the executable runs the two registry entries one to make the browser managed and the second one to enable Native Messaging are both added to the users local machine. Now the Chrome browser restarts and when it launches it automatically picks up the enrollment token making the browser a “managed” browser with the attacker in control. The key thing here is that after this, the browser interface remains exactly the same, there are no visual changes to the user’s browser and the zoom page resets back to the original page where the user can launch the meeting as expected. This is important because as far as the user is concerned, Zoom was just updated and that is all that happened.<\/p>\n\n\n\n On the attackers end, now that they have a managed browser, they can turn of safe browsing, apply a bunch of different attributes and policies but most importantly, they can enforce<\/strong> additional malicious extensions that do not have to be screened by the webstore. These extension can do anything the attacker can envision. An example of this would be using a hidden window to silently authenticate a user into a third-party application that asks for full Google Drive read and write access. They can redirect websites, like instead of the official google docs website, you are redirected to a clone of it where they have access to all data that the user inputs.<\/p>\n\n\n\n The final part is the Native Messaging registry that was enabled. This allows the attacker to to basically run any commands on the users machine through the extension while the responses are sent to the attacker over a websocket connection and the extension. This allows the attacker to directly access local directory files, edit them, modify them, add new files as well. All of this happens in an extremely stealthy manner and we can easily imagine something like this going on inside an enterprise machine for months before anyone notices.<\/p>\n\n\n\n The scariest part about Browser Syncjacking is just how little the user knows of what is happening. Every part of this has been tailored so well that it is hard to believe anyone would be able to notice. Gone are the days of the scary popups that are trying to download malware on your device.<\/p>\n\n\n\n [1] https:\/\/labs.sqrx.com\/browser-syncjacking-cc602ea0cbd0<\/p>\n\n\n\n [2] https:\/\/www.bleepingcomputer.com\/news\/security\/new-syncjacking-attack-hijacks-devices-using-chrome-extensions\/<\/p>\n","protected":false},"excerpt":{"rendered":" Browser Syncjacking is an exploit that takes advantage of the google sync functionality of the chrome web browser to hijack a user’s browser. Google sync is used to sync a google account across multiple devices to ensure that what ever you do persist from one device to the next. Malicious actors have found a way … <\/p>\n![\"Google](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2025\/01\/google-sync.png\")
![\"enrollment](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2025\/01\/token.png\")
by SquareX<\/figcaption><\/figure>\n\n\n\n![\"Registry](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2025\/01\/code.png\")
by SquareX<\/figcaption><\/figure>\n<\/figure>\n\n\n\nBrowser and Device Hijacking<\/h4>\n\n\n\n
official Zoom page with an https connection, and no certificate error, the user is more likely to click on the update button which will download and execute this file the attacker has packaged.<\/p>\n\n\n\n![\"Zoom](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2025\/01\/zoom-update.png\")
by SquareX<\/figcaption><\/figure>\n\n\n\n![\"Zoom](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2025\/01\/zoom-download.png\")
by SquareX<\/figcaption><\/figure>\n<\/figure>\n\n\n\n![\"Safe](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2025\/01\/safe-browsing.png\")