A cyber security researcher has discovered a malicious Google Chrome extension in the wild abusing the Chrome Sync process that can help hackers steal user data.
Hackers can use the Google Chrome sync feature to send commands to infected browsers and steal data from infected systems, bypassing traditional firewalls and other network defenses.
Croatian security researcher Bojan Zdrnja found a malicious Chrome extension that can communicate with a remote command and control (C&C) server and as a way to exfiltrate data from infected browsers, reports ZDNet.
Chrome sync is a feature of the Chrome web browser that stores copies of a user’s Chrome bookmarks, browsing history, passwords, and browser and extension settings on Google’s cloud servers.
According to Zdrnja, the goal was to use the extension to “manipulate data in an internal web application that the victim had access to.”
“While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries,” Zdrnja said in the report.
The basis for this attack were malicious extensions that the attacker dropped on the compromised system.
“Now, malicious extensions are nothing new – there were a lot of analysis about such extensions and Google regularly removes dozens of them from Chrome Web Store, which is the place to go to in order to download extensions,” the security researcher mentioned.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]