Bookmark Syncing is the New Tool for Sneaking in Cyber Attack Tools

Cyber attack

Browser synchronization increases the risk of cyber attack, thus a cybersecurity threat!

Modern browsers include synchronization features (like Google Chrome’s Sync) so that all your browsers, on all your devices, share the same tabs, passwords, plugins, and other features. While this is undoubtedly convenient, particularly when you’re migrating to a new device, synchronizing browsers also comes with some risks. So, can bookmark syncing be a new cyber attack tool for hackers? Let’s find out.

Synchronized data can include browser history, bookmarks, passwords, cookies, and other information that users consider private and typically have no intention of sharing with anyone else. Password, cookie, and payment card secrecy are also important for security. Browser synchronization increases the risk of inadvertently sharing that information with other users of the computers you sync between. It’s important to consider whether you are truly the only user of a system that is set to synchronize. Imagine what can happen if your kids are playing with your home laptop and it synchronizes to your work system.

On that note, Bookmark synchronization has become a standard feature in modern browsers: It gives Internet users a way to ensure that the changes they make to bookmarks on a single device take effect simultaneously across all their devices. However, it turns out that this same helpful browser functionality also gives cybercriminals a handy attack path.

Security threats can also be copied from one device to another, in the form of malicious extensions (also called plugins or add-ons), and open tabs. Malware in the form of browser extensions is relatively rare, but it does happen. There are infected JavaScript-based extensions with malicious code that made it possible to introduce malware to an affected system.

Google regularly has to clear out bad extensions from its Chrome Web Store. While many of those extensions would fall into the categories of Potentially Unwanted Programs (PUPs) or adware, they can still cause problems and many would be frowned upon if you introduced them into your work environment by synchronizing from your home browser.

Malicious browser extensions are a known and widespread threat, used by attackers to perform actions such as stealing passwords, exfiltrating email data, or delivering additional malware. Some attackers have also recently managed to exploit Chrome’s syncing feature and use an extension to connect their computer directly to a targeted workstation, creating a covert channel for remote data manipulation, but also (conceivably) for data exfiltration and C&C communication.

But the use of browser extensions can be restricted in enterprise environments, blocking that particular access path, so SANS Technology Institute student David Prefer decided to investigate whether bookmarks could be exploited similarly. He discovered that they can, and he created a basic PoC PowerShell script to make the data exfiltration process via synced bookmarks easy.

Significantly, bookmark syncing is not the only browser function that can be abused this way, Prefer says. “There are plenty of other browser features that are used in synchronization that could be misused similarly, but would require research to investigate,” he says. As examples, he points to autofills, extensions, browser history, stored passwords, preferences, and themes, which can all be synchronized. “With a bit of research, it might turn out that they can also be abused,” Prefer says.