Browser synchronization abuse: Bookmarks as a covert data exfiltration channel

Two universal and seemingly innocuous browser features – the ability to create bookmarks (aka “favorites”) and browser synchronization – make users’ lives easier, but may also allow hackers to establish a covert data exfiltration channel.

Data exfiltration via bookmarks

Malicious browser extensions are a known and widespread threat, used by attackers to perform actions such as stealing passwords, exfitrating email data or delivering additional malware. Some attackers have also recently managed to exploit Chrome’s syncing feature and use an extension to connect their computer directly to a targeted workstation, creating a covert channel for remote data manipulation, but also (concievably) for data exfiltration and C&C communication.

But the use of browser extensions can be restricted in enterprise environments, blocking that particular access path, so SANS Technology Institute student David Prefer decided to investigate whether bookmarks could be exploited in a similar way.

He discovered that they can, and he created a basic PoC PowerShell script to make the process of data exfiltration via synced bookmarks easy.

Automated encoding and decoding of the data

Prefer’s research and testing was focused on Chromium-based browsers (Chrome, Edge, Brave and Opera), collectively used by a great majority of users.

He confirmed that synchronization is triggered by different actions related to bookmarks (creation, deletion, etc.) and that remoted devices usually receieve synced bookmarks in a matter of seconds. He also figured out the maximum number of characters bookmarks’ name and url fields can contain in order to be synced, as well as the maximum number of bookmarks that can be synced in one go.

He then used that information to create Brugglemark (the name is a portmanteau of “browser” + “smuggle” + “bookmarks”), a script that base64 encodes the provided text, splits it into smaller strings, and creates Chrome bookmarks by inserting them into the local Bookmarks file in a JSON format (with dummy text in the other requisite bookmark fields).

The data can then be reconstructed from those bookmarks when they have been synced to a remote system.

Releasing the PoC script to the public might not seem a good idea to many but, as Prefer told Help Net Security, there are a lot more powerful attack tools and scripts out there provided by the community, and a script like Brugglemark can be trivially built based on the information provided in his research paper.

The out-of-the-box use of the script is additionally limited by the fact that it requires PowerShell 6.0 to work.

“On Windows, I believe version 5.0 or 5.1 is the default version. I have no doubt that it could be enhanced to run on a lesser version, but as it stands you would have to install PS 6 or above to run the script,” he noted.

“Also, Brugglemark only really works with plaintext files, as it’s just a proof of concept. It fails with word documents and any other document type, so some work would have to go into it to make it support anything else.”

Not just data exfiltration

Smuggling data out of enterprise systems via bookmark syncing could be performed by using existing (compromised) browser profiles/accounts or by attackers creating and logging in with their own account. The bookmarks and/or the attacker’s profile can be hidden from users’ view by creating them into alternative locations.

“But using bookmarks and sync for exfiltration alone would miss the point; browser sync provides a two-way channel for data,” Prefer noted.

“Bookmarks could be used to bring attack scripts or tools into an environment, deliver malicious payloads, or transfer data between systems during lateral movement. They can even be leveraged to gain an initial foothold as a soft of two-step phishing attack. For instance, if a user is signed into the browser at work and uses the same account to sign in on their personal computer at home, that home computer provides a way into the corporate network.”

Attackers can then, for example, change a bookmark for a site the victim often frequents to point to a lookalike phishing site.

Defensive actions

Enterprise defenders can implement several steps to harden systems against browser synchronization abuse, Prefer noted, including limiting the email domains allowed to sign in for sync and application allowlisting (to prevent the installation of unsanctioned, offensive Chromium builds with an attacker-controlled synchronization infrastructure).

“The caveat [for this latter approach] though is that it’s going to be more work (probably more than it’s worth versus other techniques) and also loses the benefit of syncing via an accepted domain like google.com. Still, I thought I should mention it as a possibility,” he noted.

There are also a number of things defenders/threat hunters can do to discover data being exfiltrated in this way: scanning for unauthorized browser executables, looking for abnormal volume requests fron a single host, looking for browser profiles outside of default filesystem locations, and more.

Finally, browser developers could also make changes that would prevent outside tampering with bookmarks or set more restricting limits for the synchronization option.

Don't miss