Browser synchronization abuse: bookmarks as a conduit for secret data exfiltration


Two universal and seemingly innocuous browser features – the ability to create bookmarks (aka “favorites”) and browser synchronization – make life easier for users, but can also allow hackers to establish a clandestine data exfiltration channel.

Data exfiltration via bookmarks

Malicious browser extensions are a known and widespread threat used by attackers to perform actions such as stealing passwords, extract data from email or deliver additional malware. Some attackers have also recently managed to exploit Chrome’s sync feature and use an extension to connect their computer directly to a targeted workstation, creating a secret channel for remote data manipulation, but also (presumably) for data exfiltration and C&C communication.

But the use of browser extensions can be restricted in corporate environments, blocking that particular path. David Prefer, a student at the SANS Technology Institute, therefore decided to study whether bookmarks could be exploited in the same way.

He found they could, and he established a basic PoC PowerShell script to facilitate the data exfiltration process via synced bookmarks.

Automated data encoding and decoding

Prefer’s research and testing focused on Chromium-based browsers (Chrome, Edge, Brave, and Opera), collectively used by a large majority of users.

He confirmed that synchronization is triggered by different actions related to bookmarks (creation, deletion, etc.) and that remote devices usually receive synchronized bookmarks within seconds. It also calculated the maximum number of bookmark characters’ Last name and URLs that the fields can contain to be synchronized, as well as the maximum number of bookmarks that can be synchronized at one time.

He then used this information to create Brugglemark (the name is a portmanteau of “browser” + “smuggle” + “bookmarks”), a script that base64 encodes the supplied text, breaks it into smaller strings, and creates Chrome bookmarks in inserting them. in the local bookmark file in JSON format (with dummy text in the other required bookmark fields).

Data can then be reconstructed from these bookmarks when they have been synchronized with a remote system.

Getting the PoC script out to the public might not sound like a good idea to many, but as Prefer told Help Net Security, there are much more powerful community-provided attack tools and scripts, and a script like Brugglemark can be trivially constructed based on the information provided in his research paper.

The out-of-the-box use of the script is further limited by the fact that it requires PowerShell 6.0 to run.

“On Windows I think 5.0 or 5.1 is the default. I have no doubt it could be upgraded to run on a lower version, but as things stand you’ll need to install PS 6 or superior to run the script,” he noted.

“Also, Brugglemark only really works with plain text files, as it’s just a proof of concept. It fails with Word documents and any other type of document, so it would take a bit of work to get it to support anything else.

Not just data exfiltration

Smuggling of data out of corporate systems via bookmark synchronization can be done using existing (compromised) browser profiles/accounts or by attackers creating and logging in with their own account. Bookmarks and/or the attacker’s profile can be hidden from users’ view by creating them in alternate locations.

“But using bookmarks and sync for exfiltration alone would miss the point; browser sync provides a two-way channel for data,” Prefer noted.

“Bookmarks can be used to embed scripts or attack tools into an environment, deliver malicious payloads, or transfer data between systems in lateral movement. They can even be exploited to gain an initial foothold as a two-step phishing attack. For example, if a user is logged into the browser at work and uses the same account to log into their personal computer at home, that personal computer provides access to the corporate network.

Attackers can then, for example, change a bookmark for a site the victim frequents often to point to a lookalike phishing site.

Defensive Actions

Enterprise defenders can implement several steps to harden systems against browser sync abuse, Prefer noted, including limiting the email domains allowed to log in for syncing and whitelisting apps (to prevent abuse). installation of unauthorized and offensive Chromium versions with an attacker-controlled synchronization infrastructure).

” The warning [for this latter approach] however, this is going to take more work (probably more than it’s worth compared to other techniques) and also loses the benefit of syncing through an accepted domain like Still, I thought I should mention it as a possibility,” he noted.

There are also a number of things defenders/threat hunters can do to uncover data exfiltrated in this way: look for unauthorized browser executables, look for abnormal volume requests from a single host, look for profiles browsers outside the default file system locations, and After.

Finally, browser developers could also make changes that prevent outside tampering with bookmarks or set more restrictive limits for the synchronization option.


Comments are closed.