Application security, Cloud Security, Endpoint/Device Security

Novel Chrome extension-exploiting attack facilitates device takeovers

Google releases emergency patches for eighth Chrome zero-day of 2023

(Adobe Stock)

BleepingComputer reports that threat actors could covertly hijack devices through the new multi-stage Browser Syncjacking attack that involves a trojanized Chrome extension.

After establishing a malicious Google Workspace domain with various user profiles without multi-factor authentication and publishing a seemingly legitimate browser extension on the Chrome Web Store, attackers proceed to lure targets into downloading the extension, according to an analysis from SquareX. Stealthy log-ins to one of the attacker-controlled Workspace profiles performed by the extension will be followed by the opening of the legitimate Chrome support page that prompts targets to activate Chrome sync, which once done enables attackers to access not only all the targeted device's data but also the breached profile.

Such access could then be leveraged by attackers to trick victims into installing a fake software update that would allow total browser control.

"Unlike previous extension attacks that involve elaborate social engineering, adversaries need only minimal permissions and a small social engineering step, with nearly no user interaction required to execute this attack," said SquareX researchers.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Related

DeepSeek prohibited in New York government devices

Increasing concerns regarding the potential utilization of Chinese artificial intelligence platform DeepSeek for foreign government surveillance have prompted New York Gov. Kathy Hochul to ban the AI chatbot's usage across all state-issued devices just days after Texas Gov. Greg Abbott issued a similar prohibition for DeepSeek and Chinese-owned social media apps.

OpenAI claimed to have over 20M credentials stolen

Such an extensive OpenAI account credential theft may have been achieved by exploiting vulnerabilities or securing admin credentials to infiltrate the auth0.openai.com subdomain, according to Malwarebytes researchers, who noted that confirmation of the leak's legitimacy would suggest emirking's access to ChatGPT conversations and queries.

Egregious security gaps found in DeepSeek iOS app

Aside from delivering unencrypted device and mobile app registration information to Volcano Engine servers owned by TikTok parent firm ByteDance, DeepSeek's iOS app has also been leveraging an insecure symmetric encryption algorithm, a hardcoded encryption key, and old initialization vectors, an audit from NowSecure showed.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Anti-MalwareBannerBring Your Own Device (BYOD)ClientCommon Gateway Interface (CGI)CookieEndpoint SecurityExtranetFirmwareGreynet

You can skip this ad in 5 seconds