Croatian information security specialist Bojan Zdrnja discovered that Google Chrome’s built-in sync function could be used by malicious extensions to steal passwords and other personal data from users’ devices.
According to the SecurityLab.ru resource, an unnamed malicious extension uses the Chrome Sync function to communicate with a remote server of the attackers. During this process, they can obtain passwords and other data. This function is needed to synchronize data between users’ devices: passwords, bookmarks, browsing history, browser settings and extensions. All this is stored in the cloud on Google servers.
The malware was hiding under the Forcepoint security extension, allowing an attacker to control the infected browser. The code contained in it created a special text field to store the token keys that were synchronized with the Google cloud. There could be different data, including passwords.
“To download, read or delete these keys, the attacker only had to log in with the same Google account, but in a different Chrome browser (it could be a one-time account). After that, he could interact with the Chrome browser on the victim’s network, abusing Google’s infrastructure, ”wrote Bojan Zdrnja on the Internet Storm Center forum.
The expert advises using corporate Chrome features and group policies to control the work of installed extensions and, if necessary, block them.