Billions of Chrome users at risk from new browser-hijacking Syncjacking attack — how to stay safe

and image of the Google Chrome logo on a laptop
(Image credit: Shutterstock)

Google Chrome is the most popular browser on desktop, which is why it’s also one of the most popular targets for hackers. This makes perfect sense given how much personal and sensitive info we store in our browsers, and now, hackers have come up with a clever new way to steal all that data and even take over our computers.

As reported by BleepingComputer, a new attack called ‘Browser Syncjacking’ was recently spotted online by security researchers at the cybersecurity firm SquareX. The attack involves several steps, but what makes it particularly dangerous is that it’s sneaky and requires minimal permissions. There’s very little a Chrome user has to do to fall victim to it.

Here’s everything you need to know about this new attack, along with some tips and tricks to help keep you, your data and your devices safe.

From browser extension to device take over

Before targeting Chrome users, the hackers behind this new attack first set up a malicious Google Workspace domain with multiple user profiles where security features such as multi-factor authentication are intentionally disabled. Later on, this domain is used in the background to create managed profiles on the victim’s devices.

From there, the hackers then create and launch a malicious Chrome extension on the Chrome Web Store. To entice potential victims, they make this extension appear as a useful tool they might want to add to Chrome.

Then, through social engineering, the attackers trick potential victims into installing this new extension. Once installed, it uses a hidden browser window running in the background to log a victim into one of the managed Workspace profiles the hackers previously created.

To trick victims into enabling Chrome sync on this new hacker-controlled profile, the extension opens an actual Google support page that has been tampered with, which explains how to turn on sync. If a victim goes through this whole process, all of their stored Chrome data, including passwords and browsing history, ends up in the hands of the hackers, who can then use their now compromised Chrome profile on their own device.

Now that the hackers have control over a victim’s Chrome profile, they then try to take over their browser completely. In a blog post detailing this new attack, SquareX explains that this is often done using a fake Zoom update. For instance, the victim might receive a legitimate Zoom invite. Still, when they click on it, the extension from earlier injects malicious content into the invitation, explaining that Zoom needs to be updated. However, instead of a real update, the download that appears is actually an executable file that contains an enrollment token. If a victim runs this file thinking it’s an ordinary update, they give the hackers behind this campaign complete control over their browser.

From here, the attackers can silently access all of a victim’s web apps, install additional malicious extensions, redirect them to phishing sites, monitor/ modify files and a whole lot more, according to SquareX’s researchers. To make matters worse, by using Chrome’s Native Messaging API, the attackers can establish a direct communication channel between their malicious extension and a victim’s operating system, which lets them install malware, capture keystrokes, extract sensitive data and even activate a device’s webcam and microphone.

How to stay safe from malicious browser extensions

Best antivirus software

(Image credit: Shutterstock)

We’ve seen similar extension attacks in the past that also involve elaborate social engineering. Still, this one is a bit different since an attacker only requires minimal permissions, a bit of social engineering and almost no user interaction to pull it off. Likewise, unless a victim continually checks for managed browser labels deep within Chrome’s settings, there’s no visual indication that their browser has been hijacked.

To stay safe from this attack and others like it, the first thing you want to do is to avoid installing new Chrome extensions as well as limit the ones you do have installed. Before installing any new extension, you want to carefully look into the extension itself as well as its developers for signs of anything suspicious. However, you should also ask yourself if you really need this extension or if you can use another program or app to do the exact same thing.

As for staying safe from malware, you want to ensure you’re using the best antivirus software on your Windows PC and the best Mac antivirus software on your Apple computer. Likewise, it’s better to store your passwords and other credentials in one of the best password managers as opposed to in your browser since hackers love targeting them.

Hackers will keep coming up with clever new attacks. Still, by being extra cautious online, not installing unnecessary extensions, software or apps and improving your own cyber hygiene, you should be able to avoid falling victim to them.

More from Tom's Guide

TOPICS
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
and image of the Google Chrome logo on a laptop
Popular Chrome extensions hijacked by hackers in widespread cyberattack — 3.2 million at risk
and image of the Google Chrome logo on a laptop
Over 600,000 Chrome users at risk after 16 browser extensions compromised by hackers — what you need to know
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
A hacker typing quickly on a keyboard
Hackers can steal your accounts, and all it takes is a double-click — don’t fall for this new form of clickjacking
A hacker typing quickly on a keyboard
Thousands of WordPress sites hijacked to spread Windows and Mac malware - how to stay safe
Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
Bill Gates in 2019
Bill Gates just predicted the death of every job thanks to AI — except for these three
NYTimes Connections
NYT Connections today hints and answers — Wednesday, March 26 (#654)
Gemini screenshot image
Google unveils Gemini 2.5 — claims AI breakthrough with enhanced reasoning and multimodal power
Samsung Galaxy Z Flip 6 review.
Samsung Galaxy Z Flip 7 design just teased in new cases leak — and the outer display is huge
Google Chrome
Chrome failed to install on Windows PCs, but Google has issued a fix — here's what happened
nyc spring day AI image
OpenAI just unveiled enhanced image generator within ChatGPT-4o — here's what you can do now