Malicious Chrome extensions can steal data by abusing Sync feature

Malicious Chrome extensions can steal data by abusing Sync feature

Security Researcher reveals malicious use of Chrome extension- C&C and data exfiltration possible through Sync Feature.


Bojan Zdrnja, an IT security researcher, published research revealing that attackers use Google Chrome’s Sync feature for Command and Control communication through exfiltrating data.


As a Cybersecurity Specialist, Zdrnja claims that the attackers used extremely powerful features to abuse the Chrome browser.


How did it happen?


Every Chrome user opts for the Chrome Web Store for downloading extensions. Hackers tend to drop malicious extensions on the same store and Google removes multiple suspicious extensions every day. However, the attackers used a different channel in this scenario.


According to Zdrnja:



“The attackers did not use Chrome Web Store but dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation.”


The scary part is that it is a legitimate feature of the Chrome browser. It can be accessed by going to More Tools then Extensions and enabling Developer mode. After this, the extensions can be loaded locally by clicking on “Load Unpacked”.





Image Source: Bojan Zdrnja



The malicious extension was disguised as “Forcepoint Endpoint Chrome Extension for Windows”. The attackers copied the name and the logo of Forcepoint to make the extension seem legitimate. Of course, Forcepoint had no relation to the mentioned extension.