A newly found Razer Synapse zero-day vulnerability has been found online. The exploit allows users to gain admin access by simply plugging in a Razer mouse or keyboard. Razer is a common brand amongst gamers, due to its colourful, high-quality accessories. Unfortunuately, this means the exploit could be used by a wide range of people.
The exploit works because any Razer device will automatically download and install the Synapse software. This software allows users to set up devices and peripherals from the desktop. A security researcher found they could quickly gain access to system privileges through the software.
Security researcher jonhat found the exploit, which they explained in a twitter threat that has over 11,000 likes and 4,500 retweets. The process is scarily simple, and only requires that users plug in a mouse or dongle, download and install the RazerInstaller and then use elevated explorer to open PowerShell with shift+right click.
The exploit gives hackers the highest administrative power in Windows, which might allow people to install malware or other harmful programs. If someone were to try and use this locally on a PC that contained sensitive information, there could be a harmful data leak. Jonhat attempted to contact Razer about the exploit, but did not hear anything back.
The researcher took to Twitter with the exploit. It was likely an attempt to likely gain the attention of Razer, which can issue a fix. Razer got in touch with jonhat shortly after the post went viral. A representative promised the team was looking into creating a fix. The business will also provide jonhat with a bounty for finding a bug, a practise which is common in the tech industry. Other Twitter users in the Twitter thread were quick to criticise Razer for forcing the software on users.