Bookmark synchronization has become a standard feature in modern browsers: It gives Internet users a way to ensure that the changes they make to bookmarks on a single device take effect simultaneously across all their devices. However, it turns out that this same helpful browser functionality also gives cybercriminals a handy attack path.
To wit: Bookmarks can be abused to siphon out reams of stolen data from an enterprise environment, or to sneak in attack tools and malicious payloads, with little risk of being detected.
David Prefer, an academic researcher at the SANS Technology Institute, made the discovery as part of broader research into how attackers can abuse browser functionality to smuggle data out from a compromised environment and carry out other malicious functionality.
In a recent technical paper, Prefer described the process as "bruggling" — a portmanteau of browser and smuggling. It's a novel data exfiltration vector that he demonstrated with a proof-of-concept (PoC) PowerShell script called "Brugglemark" that he developed for the purpose.
The Fine Art of Bruggling
"There's no weakness or vulnerability that is being exploited with the synchronization process," Prefer stresses. "What this paper hones in on is the ability to name bookmarks whatever you want, and then synchronize them to other signed-in devices, and how that very convenient, helpful functionality can be twisted and misused in an unintended way."
An adversary would already need access — either remote or physical — to the environment and would have already infiltrated it and collected the data they want to exfiltrate. They could then either use stolen browser synchronization credentials from a legitimate user in the environment or create their own browser profile, then access those bookmarks on another system where they've been synchronized to access and save the data, Prefer says. An attacker could use the same technique to sneak malicious payloads and attack tools into an environment.
The benefit of the technique is, put simply, stealth.
Johannes Ullrich, dean of research at the SANS Institute, says data exfiltration via bookmark syncing gives attackers a way to bypass most host and network-based detection tools. To most detection tools, the traffic would appear as normal browser synch traffic to Google or any other browser maker. "Unless the tools look at the volume of the traffic, they will not see it," Ullrich says. "All traffic is also encrypted, so it is a bit like DNS over HTTPs or other 'living off the cloud' techniques," he says.
Bruggling in Practice
In terms of how an attack might be carried out in the real world, Prefer points to an example where an attacker might have compromised an enterprise environment and accessed sensitive documents. To exfiltrate the data via bookmark synching, the attacker would first need to put the data into a form that can be stored as bookmarks. To do this, the adversary could simply encode the data into base64 format and then split the text into separate chunks and save each of those chunks as individual bookmarks.
Prefer discovered — through trial and error — that modern browsers allow a considerable number of characters to be stored as single bookmarks. The actual number varied with each browser. With the Brave browser, for example, Prefer discovered he could synchronize, very quickly, the entirety of the book Brave New World using just two bookmarks. Doing the same with Chrome required 59 bookmarks. Prefer also discovered during testing that browser profiles could synchronize as many as 200,000 bookmarks at a time.
Once the text has been saved as bookmarks and synchronized, all that the attacker would need to do is sign into the browser from another device to access the content, reassemble it, and decode it from base64 back into the original text.
"As for what kind of data could be exfiltrated via this technique, I think that's up to the creativity of an adversary," Prefer says.
Prefer's research was primarily focused on browser market share leader Google Chrome — and to a lesser extent on other browsers such as Edge, Brave, and Opera, which are all based on the same open source Chromium project that Chrome is built upon. But there's no reason why bruggling won't work with other browsers such as Firefox and Safari, he notes.
Other Use Cases
Significantly, bookmark syncing is not the only browser function that can be abused this way, Prefer says. "There are plenty of other browser features that are used in synchronization that could be misused in a similar way, but would require research to investigate," he says. As examples, he points to autofills, extensions, browser history, stored passwords, preferences, and themes, which can all be synchronized. "With a bit of research, it might turn out that they can also be abused," Prefer says.
Ullrich says Prefer's paper was inspired by earlier research that showed how browser extension syncing could be used for data exfiltration and command and control. With that method, however, a victim would have been required to install a malicious browser extension, he says.
Mitigating the Threat
Prefer says organizations can mitigate the risk of data exfiltration by disabling bookmark syncing using Group Policy. Another option would be to limit the number of email domains that are allowed to sign in for syncing, so attackers would not be able to use their own account to do it.
"[Data loss protection] DLP monitoring that an organization already performs can be applied here as well," he says.
Bookmark syncing would not work very well if the syncing happened at a slower speed, Ullrich says. "But being able to sync 200,000+ bookmarks, and only seeing some speed throttling after 20,000 or 30,000 bookmarks makes this [very] valuable," he says.
Thus, browser makers can make things harder for attackers for instance by dynamically throttling bookmark syncing based on factors like the age of an account or logins from a new geographic location. Similarly, bookmarks that contain base64 encoding could be prevented from syncing, as well as bookmarks with excessive names and URLs, Prefer says.