Security News > 2021 > February > Malicious extension abuses Chrome sync to steal users’ data
The Google Chrome Sync feature can be abused by threat actors to harvest information from compromised computers using maliciously-crafted Chrome browser extensions.
Chrome Sync is a browser feature designed to automatically synchronize a user's bookmarks, history, passwords, and other settings after they log in with their Google account.
While malicious Chrome extensions are a dime a dozen with Google removing hundreds of them each year from the Chrome Web Store, this one was special due to the way it was deployed.
The attacker's malicious addon was camouflaged as the Forcepoint Endpoint Chrome Extension for Windows and installed directly from Chrome after enabling Developer mode.
To get access to the synced sensitive data, the threat actor would only have to log into the same Google account on another system running the Chrome browser since third-party Chromium-based browsers are not allowed to use the private Google Chrome Sync API. This would then allow them to "Communicate with the Chrome browser in the victim's network by abusing Google's infrastructure," Zdrnja revealed.
To block attackers abusing Google Chrome's Sync API for harvesting and exfiltrating data from corporate environments, Zdrnja recommends group policies to create a list of approved Chrome extensions and block all others who haven't been checked for red flags.