An extension was discovered that misused the Chrome Sync feature in order to gain access over the user’s information

Chrome sync, is a feature of Google Chrome that saves copies of the user’s Chrome browsing history, its bookmarks, password and browser and extension settings after they log in to their Google account. The feature is basically used to sync all the details between the user and the entire user’s various devices so that the user can have access to all of the details on any device having Chrome wherever they go.

It has been reported recently that some threat actors have discovered that they can abuse the Google Chrome sync feature in order to send commands to the already weakened browsers and steal their data from infected systems and take information from it, breaking through all the firewalls and natural defenses through bitterly and cleverly crafted Chrome browser extensions.

Bojan Zdrnja, the security consultant discovered that a malicious Chrome extension was trying to misuse the Chrome sync feature to communicate with a command and control (C&C) server so as to take over data from weakened browsers. He reported that with this incident that he investigated, the attackers had downloaded a Chrome extension on the victim’s computer and loaded it through enabling the browser’s Developer Mode because as the attackers had already gained control over the user’s computer, they couldn’t take information as easily like that because all of that was inside the employee’s portal. The attacker covered the extension as Force point End point Chrome extension for windows and it contained code that abused the Chrome sync features in a way which allowed the attackers to automatically gain control over the browsers and to the user’s cloud storage.

In order to get a full control over the synced data, the attacker would have to only log into the same Google account on another device that has the Chrome browser running because third party Chromium-based browsers cannot use private Google Chrome Sync API.

Even though Google removes around a dozen chrome extension like these, this was a little different because of the way in which it was executed. Zdrnja says that the main aim of this attacker was to use the extension in a way that can get data in an internal web application that only the victim had access to.

Zdrnja reported these activities just recently last week and said that the attacked also wanted to gain control over limited activities on the victim’s workstation to web applications which might be the reason that they executed the plan in this manner.



Read next: Google has expelled ‘The Great Suspender’ Chrome extension saying that the extension had malware in it
Previous Post Next Post