Veracity joins partners at BETT » Prestwick: Veracity has announced its attendance at the BETT Show for the first time. MMM Nigeria Ponzi Scheme And The Curse of ‘Herd Me... » What Is A Ponzi Scheme? Business Dictionary aptly defines a Ponzi scheme as a SCAM in which a GULLI... ExtraHop accelerates into 2017 with new SVP of mar... » SEATTLE: ExtraHop has announced that Bryce Hein has joined the company as SVP of Marketing and will ... Opengear deal with Hardware Group extends European... » Piscataway, NJ: Opengear has announced a new distribution agreement with Hardware Group serving chan... Veracity delivers essential data paper at the San ... » Prestwick: Veracity takes a leading slot in delivering a Paper explaining the critical differences w... Veracity to showcase expanded portfolio at Inters... » Prestwick: Veracity reflects its significant growth in the Middle East by announcing an enlarged com... IPSecurityCenter to help protect citizens at the... » CNL Software has announced that its award-winning technology will be utilized as part of the multi-a... Pulse Secure certified for U.S. Department of Defe... » SAN JOSE, CALIF: Pulse Secure has announced that Pulse Connect Secure 8.2 and Pulse Policy Secure 5.... ExtraHop predicts 2017 trends in IT, security an... » UK: ExtraHop has announced its top predictions for enterprise IT in 2017. Based on insight from cust... VTech takeover: Snom stays Snom » Berlin: Now being part of VTech, leading manufacturer of professional business IP phones, Snom Techn...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

In Google Chrome's most recent version (v19), Google introduced a "tab sync" feature. Imperva's Application Defence Centre (ADC) has inspected this feature from a security perspective and has discovered a new type of threat that can allow a hacker to comfortably "leap" from a compromised home computer to work computer. Imperva has named this kind of threat BYOB for "Bring Your Own Browser".  Below are Imperva's ADC's findings.

When Syncing Sinks Your Browser

 

Today, mobile devices mix work data and personal end points and the BYOB does exactly the same thing only it's more elusive as there's no physical device involved.

Let's start with the view of browser syncing according to Google:

Say you’ve found an awesome recipe on your work computer while... ahem... working hard at the office. But when you get back home, you can’t quite remember if it was two teaspoons of bakingsoda or two teaspoons of baking powder. Wouldn’t it be cool if you could pull up the same recipe on your home computer with one click?

With today’s Stable release of Chrome, you can. When you’re signed in to Chrome, your open tabs are synced across all your devices, so you can quickly access them from the “Other devices” menu on the New Tab page. If you’ve got Chrome for Android Beta, you can open the same recipe tab right on your phone when you run out to the store for more ingredients. The back and forward buttons will even work, so you can pick up browsing right where you left off.

Open tabs aren’t the only things that sync when you sign in to Chrome. Signing in to Chrome also syncs your bookmarks, apps, extensions, history, themes, and other settings. That way, when you sign in to Chrome, you can have your personal Chrome experience on all your devices. Just go to the Chrome menu and select “Sign in to Chrome.

So when you signing into chrome, what gets synced? By default, everything:

We can divide the synced information into two main groups:

  • #1 Personal data.  For example, the auto fill feature remembers the addresses and credit cards details the user has typed in. The good news?  We had found out the credit cards details are not synced across accounts. We are not sure if it's done by design, as we weren’t able to find official reference for that behavior.
  • But usernames and passwords are also synced:
  • #2 Browser behavior is also synced:
    • Extensions/apps/themes – can change the browser’s internal behavior and also the browser's look and feel.
    • Settings – Control the browser's internal behavior. Some examples for sensitive controls include:

So when you are syncing your data you are:

  • Sharing (even more) personal data with Google: You provide Google with some extra data. Since Google already knows a lot about your online activity, syncing amplifies the problem.
  • Sharing (even more) personal data with everyone who knows your Google password: This is an existing problem since knowing the password already allows access to your Google account that includes some sensitive data in your e-mail, documents, etc... Syncing amplifies the problem again.  (Recall what happened with HBGary Federal CEO Aaron Barr who used the same password on several accounts--only now Google does it for you).
  • Allowing everyone that knows your password to change the way your browser works: We believe that the last point really changes things for browser security and creates some new attack opportunities for hackers. It provides the hacker with a simple way to leap from the victim's home environment (usually very insecure) to work environment (usually secured – updated AV and other end point solutions).

Consider the following scenario:  The user is signed in to chrome on both work and home computer (So he would be able to "remember if it was two teaspoons of baking soda or two teaspoons of baking powder "). The home computer gets infected by a malware.  Now all of the work synced data (such as work related passwords) is owned by the malware.

But it gets worse:  the malware can take over the work computer environment.  There are two ways:

Possible exploitation #1 - The malware installs a rogue extension to the chrome browser on the home computer (rogue extensions were successfully uploaded to the web store on the pasthttp://www.zdnet.com/blog/security/malicious-chrome-extensions-hijack-facebook-accounts/11074). The extension gets synced automatically to his work computer and can now do whatever with his work browsing data. For example it can send every page you visit to the hackers website.

Possible exploitation #2 – The malware changes the home page or some bookmark to point to a malware infection site on the home computer. Settings are synced to your work environment. When you open your browser at work – you get infected with some 0-day drive-by download. To avoid detection the page can display the original page after the infection has occurred.

Even if the malware gets disinfected on work computer, the malware is able to infect over and over again – as the root cause of the infection (=The home computer) is outside of the reach of the IT department.

We name this kind of threats BYOB for "Bring Your Own Browser". While BYOD creates challenges of mixing work data and personal end points, BYOB does exactly the same – but it's more elusive as there's no physical device involved