Bookmark syncing has become a standard feature in modern browsers: it gives Internet users a way to ensure that changes they make to bookmarks on a single device take effect simultaneously on all of their devices. However, it turns out that this same useful browser functionality also provides cybercriminals with a useful attack path.
To wit: dialers can be abused to siphon off large amounts of stolen data from a business environment, or sneak into attack tools and malicious payloads, with little risk of detection.
David Prefer, an academic researcher at SANS Technology Institute, made the discovery as part of a broader investigation into how attackers can abuse browser functionality to smuggle data out of a compromised environment and carry out other malicious functions.
In a recent whitepaper, Prefer described the process as “bruggling,” a combination of browser and smuggling. It is a new data exfiltration vector
which he demonstrated with a proof-of-concept (PoC) PowerShell script called “Brugglemark” that he developed for that purpose.
The beautiful art of Bruggling
βThere is no weakness or vulnerability that is being exploited with the sync process,β Prefer emphasizes. “What this document focuses on is the ability to name bookmarks whatever you want and then sync them with other registered devices, and how that very convenient and useful functionality can be twisted and misused in an unintended way.”
An adversary would already need access, either remote or physical, to the environment and would have already infiltrated and collected the data they want to exfiltrate. They could then use a legitimate user’s stolen browser sync credentials in the environment or create their own browser profile, then access those bookmarks on another system where they have been synced to access and save the data, Prefer says. An attacker could use the same technique to infiltrate malicious payloads and attack tools into an environment.
The benefit of the technique is, simply put, stealth.
Johannes Ullrich, dean of research at the SANS Institute, says that data exfiltration via bookmark synchronization gives attackers a way to bypass most network and host-based detection tools. To most detection tools, the traffic would appear as normal browser timing traffic to Google or any other browser manufacturer. “Unless the tools look at traffic volume, they won’t see it,” says Ullrich. “All traffic is also encrypted, so it’s a bit like DNS over HTTP or other ‘live outside the cloud’ techniques,” he says.
Bruggling in practice
In terms of how an attack could be carried out in the real world, Prefer points to an example where an attacker could have compromised a business environment and accessed sensitive documents. In order to leak data via bookmark synchronization, the attacker would first need to put the data into a format that can be stored as bookmarks. To do this, the adversary could simply encode the data in base64 format and then split the text into separate chunks and save each of those chunks as individual bookmarks.
Prefer discovered, through trial and error, that modern browsers allow a considerable number of characters to be stored as unique markers. The actual number varied with each browser. With the Brave browser, for example, Prefer found that he could very quickly sync the entire book. brave new world using only two markers. Doing the same with Chrome required 59 bookmarks. Prefer also found during testing that browser profiles could sync up to 200,000 bookmarks at a time.
Once the text has been bookmarked and synced, all the attacker would have to do is log into the browser from another device to access the content, reassemble it, and base64 decode it back to the original text.
βAs for what kind of data could be leaked through this technique, I think it depends on the creativity of an adversary,β says Prefer.
Prefer’s research focused primarily on browser market share leader Google Chrome, and to a lesser extent other browsers such as Edge, Brave and Opera, which are based on the same open source Chromium project on which it is based. Chrome. But there’s no reason why bruggling doesn’t work with other browsers like Firefox and Safari, he says.
Other use cases
Significantly, bookmark syncing isn’t the only browser feature that can be abused in this way, says Prefer. “There are many other browser features used in sync that could be misused in a similar way, but would require investigation to investigate,” she says. As examples, she points to autofills, extensions, browser history, stored passwords, preferences, and themes, all of which can be synced. “With a little research, it might turn out that they can be abused as well,” says Prefer.
Ullrich says that Prefer’s article was inspired by earlier research showing how the browser extension synchronization it could be used for data exfiltration and command and control. However, with that method, the victim would have had to install a malicious browser extension, she says.
Mitigate the threat
Prefer says that organizations can mitigate the risk of data exfiltration by disabling bookmark sync via Group Policy. Another option would be to limit the number of email domains that can log in to sync so that attackers can’t use your own account to do so.
“[Data loss protection] DLP monitoring already done by an organization can also be applied here,” he says.
Bookmark syncing wouldn’t work very well if the sync was done at a slower speed, Ullrich says. “But being able to sync over 200,000 bookmarks and seeing only a little bit of speed bump after 20,000 or 30,000 bookmarks makes this [very] valuable,” he says.
Therefore, browser manufacturers can make things more difficult for attackers, for example by dynamically speeding up bookmark syncing based on factors such as account age or logins from a new geographic location. Similarly, bookmarks containing base64 encoding might not sync, as well as bookmarks with excessive names and URLs, says Prefer.