Synchronizing bookmarks has become a standard feature of modern browsers: it allows internet users to ensure that changes they make to bookmarks on one device take effect on all their devices simultaneously. However, it turns out that same useful browser feature also gives cybercriminals a handy path of attack.
Namely: Bookmarks can be misused to siphon off tons of stolen data in a corporate environment, or to sneak into attack tools and malicious payloads, with little risk of being detected.
David Prefer, an academic researcher at the SANS Technology Institute, made the discovery as part of a larger research into how attackers can abuse browser functionality to smuggle data out of a compromised environment and execute attacks. other malicious features.
In a recent tech article, Prefer described the process as “bruggling” – a portmanteau of browser and contraband. This is a new data exfiltration vector
which he demonstrated with a proof-of-concept (PoC) PowerShell script called “Brugglemark” that he developed for this purpose.
The art of bruggling
“No weaknesses or vulnerabilities are exploited with the synchronization process,” Prefer points out. “This paper focuses on the ability to name bookmarks whatever you want and then sync them with other connected devices, and how this very handy and useful feature can be unintentionally distorted and misused.”
An adversary would already need access – remote or physical – to the environment and would have already infiltrated it and collected the data he wishes to exfiltrate. They could then either use the stolen browser sync credentials of a legitimate user in the environment or create their own browser profile and then access those bookmarks on another system where they were synced to access and save the data , explains Prefer. An attacker could use the same technique to infiltrate malicious payloads and attack tools into an environment.
The advantage of the technique is, simply put, stealth.
Johannes Ullrich, dean of research at the SANS Institute, says data exfiltration via bookmark synchronization gives attackers a way to bypass most host- and network-based detection tools. For most detection tools, the traffic would appear as normal browser sync traffic to Google or any other browser manufacturer. “Unless the tools are looking at traffic volume, they won’t see it,” Ullrich says. “All traffic is also encrypted, so it’s a bit like DNS over HTTPs or other ‘living on the cloud’ techniques,” he says.
Brugging in practice
Regarding how an attack could be carried out in the real world, Prefer cites an example where an attacker could have compromised a corporate environment and gained access to sensitive documents. To exfiltrate data via bookmark synchronization, the attacker must first put the data into a form that can be stored as bookmarks. To do this, the adversary could simply encode the data in base64 format, then split the text into separate chunks and save each of those chunks as individual bookmarks.
Prefer has discovered – through trial and error – that modern browsers allow a huge number of characters to be stored as single bookmarks. The actual number varied with each browser. With the Brave browser, for example, Prefer found it could sync the entire book very quickly. The best of worlds using only two bookmarks. Doing the same with Chrome required 59 bookmarks. Prefer also found during testing that browser profiles could sync up to 200,000 bookmarks at a time.
Once the text is saved as bookmarks and synchronized, all the attacker would have to do is log into the browser from another device to access the content, reassemble it, and base64 decode it into the text of the file. ‘origin.
“As for the type of data that can be exfiltrated via this technique, I think it depends on the creativity of an adversary,” says Prefer.
Prefer’s research focused primarily on the browser market share leader, Google Chrome, and to a lesser extent on other browsers such as Edge, Brave, and Opera, all of which are based on the same open-source Chromium project. on which Chrome is built. But there’s no reason that the blurring shouldn’t work with other browsers such as Firefox and Safari, he notes.
Other Use Cases
Significantly, bookmark synchronization isn’t the only browser feature that can be used in this way, says Prefer. “There are many other browser features used in Sync that could be misused in the same way, but would require research to investigate,” he says. For example, it shows autofills, extensions, browser history, stored passwords, preferences, and themes, all of which can be synced. “With a little research, it might turn out that they can be abused as well,” says Prefer.
Ullrich says Prefer’s article was inspired by previous research that showed how the browser extension synchronization could be used for data exfiltration and command and control. With this method, however, a victim would have been forced to install a malicious browser extension, he says.
Mitigate the threat
Prefer says organizations can mitigate the risk of data exfiltration by disabling bookmark synchronization using Group Policy. Another option would be to limit the number of email domains allowed to connect for synchronization, so that attackers cannot use their own account to do so.
“[Data loss protection] DLP monitoring that an organization already performs can also be applied here,” he says.
Syncing bookmarks wouldn’t work very well if syncing happened at a slower speed, Ullrich says. “But being able to sync over 200,000 bookmarks and only seeing a speed limit after 20,000 or 30,000 bookmarks makes this [very] valuable,” he says.
Thus, browser makers can make things more difficult for attackers, for example by dynamically limiting bookmark synchronization based on factors such as the age of an account or logins from a new geographical location. Likewise, bookmarks containing base64 encoding could be prevented from syncing, as well as bookmarks with excessive names and URLs, Prefer says.