Chrome Sync can be misused for malware distribution

[German]An unpleasant story that a security researcher has just made public. Attackers have managed to abuse the sync function of the Google Chrome browser for their own purposes, at least to retrieve information.


Advertising

I came across this issue via various tweets like the one below. Catalin Cimpanu has prepared this article on ZDNet.

Google Chrome issue

Chrome sync is a feature of the Chrome web browser that stores copies of a user's Chrome bookmarks, browsing history, passwords, and browser and extension settings on Google's cloud servers. This allows users who are logged into a Google user account with the Google Chrome browser to sync the stored information across different devices. This way, the user always has access to their current Chrome data.

Attack via Chrome extensions

Security researcher Bojan Zdrnja has now discovered that this infrastructure can also be abused by Google as a command-and-control (C2) communication channel. Attackers can siphon off data and place it on their own servers. The security researcher documented the whole thing, which he found in an attack in the wild, in this post.

The basis for this attack was malicious extensions that the attacker dropped on the compromised system. Compromised browser extensions are nothing new in themselves – this is actually daily business and Google more often kicks such extensions out of the Chrome Web Store (see Chrome extension The Great Suspender removed from store due to possible malware).


Advertising

New in this case is, that the attackers did not use the Chrome Web Store to install the extension. Rather, they placed the extension locally in a folder on the system and downloaded it directly from Chrome to a compromised workstation. This is actually a legitimate feature in Chrome. Users can go to More Tools -> Extensions and then enable Developer mode.

Side load extensions

After that, any extensions can be invoked locally, directly from a folder via the Load Unpacked Extension button. The attackers created a malicious addon pretending to be Forcepoint Endpoint Chrome Extension for Windows, as can be seen in the screenshot below. Of course, the extension had nothing to do with Forcepoint – the attackers just used its logo and name.

Bad Chrome extension
Bad Chrome extension

When creating Chrome extensions, their configuration is stored in a file called manifest.json. It also specifies which permissions the extension has. The attackers had manipulated the manifest file so that a script started in the background after the extension was loaded. The script automatically searched for oauth token keys in Chrome storage, which were then automatically synchronized with the user's Google Cloud storage.

To gain access to the synced sensitive data, the threat actor would only need to log into the same Google account running the Chrome browser on another system. The background is that third-party vendors are not allowed to use the private Google Chrome Sync API. Once that login succeeds, an attacker can "abuse Google's infrastructure to communicate with the Chrome browser on the victim's network," Zdrnja writes. He continues, "There are some limitations on the size of the data and the number of requests, but this is actually perfect for C&C commands (which tend to be small) or for stealing small but sensitive data – like authentication tokens."

Zdrnja suspects a specific Zenario: the attackers planned to manipulate data in an internal Web application and collect information that the victim had access to. Since much today runs exclusively as a Web application, a lot of information accumulates there. Therefore, the attackers initially limited their access on this workstation to anything related to web applications. Therefore, no other binaries were dropped (yet), only the malicious Chrome extension. Perhaps at a later stage, a malicious binary would have been loaded to extend access.

To prevent the malicious extension from exfiltrating data, servers used by Google for various legitimate purposes (e.g. clients4.google.com) would also have to be blocked. Therefore, this is not the right way to protect against similar attacks. To prevent attackers from abusing Google Chrome's Sync API to collect and exfiltrate data from corporate environments, Zdrnja recommends Group Policy. There, a list of allowed Chrome extensions can be set and all other extensions will be blocked.

However, two things about the security researcher's description are still not clear to me after cross-reading the article. How did the attackers manage to enable the loading feature in Chrome – does the user need to intervene there? And how do the attackers get the access token for the Google account that is used for synchronization? 

Currently I also don't know, whether Microsoft's Chromium based Edge is vulnerable in the same manner. The Sync isn't made via Google cloud accounts, instead Microsoft cloud accounts are used.


Advertising

This entry was posted in browser, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).