Browser Syncjacking Attack via Chrome Extension
Browser Syncjacking Attack via Chrome Extension
Browser Syncjacking Attack via Chrome Extension
Information:
The Chrome Web Store is a platform by Google for downloading and installing extensions, themes, and apps on Google Chrome and Chromium-based browsers such as Edge and Brave. Users can enhance their browsers with features like ad blockers, note-taking tools, and password managers. Developers who wish to publish extensions on the Chrome Web Store must go through Google’s review process to ensure the extensions are safe and comply with the platform’s policies.
Incident:
Browser Syncjacking is a new form of security threat that uses Chrome extensions as the primary attack vector, consisting of three main stages. The first stage is Profile Hijacking, which occurs when the victim installs a seemingly trustworthy extension designed to allow the attacker to log into the victim’s profile and take control. This enables the attacker to sync all browsing data, such as passwords, browsing history, and other sensitive information. The second stage is Privilege Escalation & Browser Hijacking, where the attacker uses social engineering techniques to trick the victim into installing fake software, often disguised as an update, like Zoom or other programs. Once installed, the victim’s browser is transformed into a Managed Browser controlled by the attacker
allowing them to install malicious extensions, intercept data, and redirect to phishing websites. The final stage is Device Hijacking, which escalates control from the browser to the entire operating system of the victim. By using the Chrome Native Messaging Protocol, the attacker can enable the extension to communicate directly with the victim’s operating system. This gives the attacker access to files, logs keystrokes, uses the camera and microphone, and gains full control of the system. This attack is highly sophisticated and dangerous, as it can be carried out seamlessly without the victim’s knowledge.
Recommendation:
- Avoid installing untrusted Chrome Extensions
- Disable Chrome Sync when not necessary
- Check the permissions of extensions before installation
- Enable Two-Factor Authentication (2FA) to reduce risks
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References :
- https://labs.sqrx.com/browser-syncjacking-cc602ea0cbd0
- https://chromewebstore.google.com/?hl=th
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-24734 |
27/1/2025 |
27/1/2025 |
WordPress Better Find and Replace Plugin <= 1.6.7 |
Privilege Escalation |
8.8 |
Missing Authorization vulnerability in CodeSolz Better Find and Replace allows Privilege Escalation. This issue affects Better Find and Replace: from n/a through 1.6.7. |
Update path to version1.6.8. |
|
| 2 |
CVE-2025-24740 |
27/1/2025 |
27/1/2025 |
WordPress LearnPress Plugin <= 4.2.7.1 |
Phishing Incident |
4.7 |
This could allow a malicious actor to redirect users from one site to the other due to the redirect URL not being validated. Users could be tricked to visiting a legitimate site to then be redirected to a malicious site and cause a phishing incident. |
Update path to version4.2.7.2 |
|
| 3 |
CVE-2025-24783 |
27/1/2025 |
28/01/2025 |
All versions of Apache Cocoon |
Identifier Guessing Attack |
7.5 |
When a continuation is created, it gets a random identifier. Because the random number generator used to generate these identifiers was seeded with the startup time, it may not have been sufficiently unpredictable, and an attacker could use this to guess continuation ids and look up continuations they should not have had access to. |
As a mitigation, you may enable the "session-bound-continuations" option to make sure continuations are not shared across sessions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. |
https://www.cvedetails.com/cve/CVE-2025-24783/
|
| 4 |
CVE-2025-24789 |
29/1/2025 |
29/1/2025 |
Snowflake JDBC Driver versions 3.2.3 through 3.21.0 on Windows |
Privilege Escalation |
7.8 |
Snowflake discovered and remediated a vulnerability in the Snowflake JDBC Driver. When the EXTERNALBROWSER authentication method is used on Windows, an attacker with write access to a directory in the %PATH% can escalate their privileges to the user that runs the vulnerable JDBC Driver version. |
Update path to version3.22.0 |
|
| 5 |
CVE-2024-53295 |
1/2/2025 |
1/2/2025 |
Dell PowerProtect DD versions prior to 8.3.0.0, 7.10.1.50, and 7.13.1.20 |
Improper Access Control Vulnerability |
7.8 |
contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege. |
Update patch to version 8.3.0.0 , 7.10.1.50 , 7.13.1.20 or higher. |
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Akamai warns of active attacks from new Mirai variant |
31/01/2025 |
Malware, Botnet |
Akamai researchers have discovered a new strain of Mirai malware called AquabotV3 that can turn infected devices into zombies, or botnets, for DDoS (Distributed Denial of Service) attacks. The malware accesses victim machines through the CVE-2024-41710 vulnerability, which affects Mitel SIP phones in version R6.4.0.HF1 (R6.4.0.136) or all previous versions. Researchers expect many organizations to fall victim because few organizations tend to update their desk phone systems. |
|
Ref:https://www.scworld.com/news/akamai-warns-of-active-attacks-from-new-mirai-variant
18 February 2025
Viewed 47 time
