A Croatian cybersecurity researcher Bojan Zdrnja identified a malicious Google Chrome extension that abuses the Chrome Sync feature and can let hackers steal the data from the compromised systems by bypassing the conventional firewalls and other network defenses.
Recently, Google fixed a zero-day vulnerability in Chrome 88.0.4324.150 -bug in V8 JavaScript engine.
For people who don’t use Chrome browser, let me tell you, Chrome Sync is a Chrome browser’s feature that saves the clones of the browser and extension settings, Chrome bookmarks, browsing history, and passwords, on Google’s cloud servers.
The feature is used to sync the above-mentioned details of a particular Chrome user across their multiple devices. Hence, the user will always has the access to his/her most current Chrome data wheresoever they go.
Chrome Sync Feature Was Lately Exploited
Bojan Zdrnja stated that during his investigation, the attackers obtained access to the targeted system. However, the information they wanted to steal was in an employee’s portal, they downloaded a Chrome extension on the user’s system and loaded it through the Chrome browser’s developer mode.
The extension which posed as a security add-on extension from security company Forcepoint consisted of a malicious code that exploited the Chrome sync feature to let the attackers take control of the infected browser.
As per Bojan Zdrnja’s statement, the end purpose of the extension was to utilize it in manipulating the data in an internal web application that the victim had access to. He further said in the report that while they also wanted to spread their access, they actually restricted activities on this workstation to those associated with web applications, which illustrates why they released just the malicious Chrome extension and not released any other binaries.
The Croatian researcher gave a strong suggestion that the companies should use Chrome’s enterprise features and group policy support as it offers better control to allow and block the extensions that can be installed in the Chrome browser. Eventually, it avoids users from installing rogue extensions similar to the( Forcepoint Endpoint for Windows), which he investigated and reviewed.
Are you looking for more security updates? Subscribe to our newsletter for the latest security news right from the security and research industries.
