CyberWire Daily - Targeting your browser bookmarks? [Research Saturday]
Episode Date: October 1, 2022David Prefer from SANS sits down with Dave to discuss how a new covert channel exfiltrates data via a browser's built-in bookmark sync. David goes on to describe how this research will "describe how ...the ability to synchronize bookmarks across devices introduces a novel vector for data exfiltration and other misuses." In the research, he shares how he tested his said hypothesis and goes on to describe how the interesting find was tested on multiple browsers including Chrome, Edge, Brave and Opera. In his research, he found that bookmarks are able to keep data and synchronize it, making it easier to infiltrate and extract data from. David shares the rest of his findings, as well as what organizations and browser developers can do to work on this new threat. The research can be found here: Bookmark Bruggling: Novel Data Exfiltration with Brugglemark Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
You know, I actually had this idea sort of come to me a few years back, actually,
where I was contemplating how there are some extremely common applications that most organizations are likely to be using.
And then sort of wondering to myself, you know, how many of those have an inherent need to communicate with or access resources outside of the corporate network.
And so that kind of drew my attention to browsers and what functions might exist that
may not have been given much attention in that regard.
That's David Prefer. He's a student at the SANS Technology Institute.
The research we're discussing today is titled Bookmark Bruggling,
Novel Data Exfiltration with BruggleMark.
Well, I think it's fair to say that browsers, certainly at this point, are fairly sophisticated.
I've heard some people refer to them as almost being operating systems in their own right.
I mean, what sorts of functions drew your attention?
I mean, I was just kind of thinking of anything.
But what came to my mind actually was bookmarks, like actually just almost right out the gate.
Yeah, I mean, well, and one of the things that came before that was search history.
So, you know, whatever you type in, say, Google or whatever,
and, you know, Google Chrome or Microsoft Edge and stuff like that,
you know, that all gets, you know, saved offline by the browser.
And bookmarks, I started looking at there,
and it turns out that, you know, it does the same thing too.
Well, explain for us, for folks who may not be familiar with it, how exactly does this bookmark synchronization work?
When you sign into your account in Google Chrome or whatever browser that you're using, it synchronizes to clients for google.com.
The full URL is in the research paper.
Each synchronization that occurs generates an HTTP post request to clients for google.com.
And profiles can then, when you're signed in there, synchronize bookmarks and history and extensions, themes, whatever you want, back and forth with Google.
And so, I mean, this is for the user's convenience.
So if you're using multiple devices or a desktop device, a mobile device, it all syncs automatically.
And in general, this is a good thing.
Yeah.
Oh, yeah.
It does wonders for usability.
So what was the issue here that you're exploring, the potential vulnerability?
Yeah.
So, I mean, the way it works is, you know, again, you know, browsers feature those built-in synchronization capabilities.
And bookmarks, it's a user-controlled function, right?
So as a user, I can just go in and save a bookmark for any website I want and give that bookmark whatever name I want to give it.
It's completely up to me and only me as a user.
only me as a user.
And so when you've got that sort of flexibility and you combine it with a synchronization function,
then you have a workable channel for data exfiltration, right?
So, and browsers are this, you know, again,
it's this usability thing, right?
So browsers are inherently a consumer-first technology.
And, you know, that's what their goal is there, right?
Yeah.
So let's walk through what you all discovered here.
I mean, let's go through it step by step.
How did you go about this research?
Yeah, so I first kind of started out by testing
what could I actually put in bookmarks?
And it turns out pretty much anything.
And I just stayed to the ASCII character set, which I didn't have any problems
with.
But I started testing, you know, how many characters can I store in a single bookmark?
And there isn't an actual hard limit as far as what you can save as a bookmark.
But there is a limit in that a bookmark that has an excessively long name or URL won't synchronize.
They only persist locally. So it'll never synchronize to any of your other computers
if it's too long. But if you stay within certain confines, they will, and they synchronize
instantly. And when I did my testing, I looked at Chrome, Edge, Brave, and Opera. And each of them had some very different limits. And I won't bore you with
the details, but where Google will only allow roughly 9,000 or 9,300 characters per bookmark
to synchronize, I was able to do 300,000 with Brave. And with Opera, I could do 3.1 million characters per bookmark, which was kind of unreal.
That's a heck of a descriptive bookmark, isn't it?
I mean, you might as well just put the whole book in there.
Well, you know, it's funny that you say that because to give you the perspective there,
I used the 1932 novel Brave New World by Aldous Huxley as my test base there.
And it took roughly 60 bookmarks in
Chrome. And that was about 500,000 some odd characters in length when I base64 encoded it.
So, you know, for opera, you could fit that book in there three times.
Wow.
and now a message from our sponsor zscaler the leader in cloud security enterprises have spent billions of dollars on firewalls and vpns yet breaches continue to rise by an 18 year over
year increase in ransomware attacks and a $75 million record payout in 2024,
these traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context, simplifying security management with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So, I mean, I'm starting to see the issue here.
I mean, if I'm someone who's charged with defending my organization against things like exfiltration,
I have this user-controlled element and everyone needs to use their browsers for day-to-day business stuff. But here's a way that data can be sent out of the organization without really
any monitoring. Yes? I mean, there is monitoring. And I get into it in my paper, but
there are a few things that you can do from a defensive perspective. So for monitoring,
to your point, you really can't go wrong with decrypted traffic inspection. And most organizations
are likely to already have a forward proxy in place that can handle that. But whether or not they're looking at the browser synchronization
traffic, you know, that's another thing, right? So let's talk about some of the terms here.
Bruggling, what does that mean? Yeah, so it's just a portmanteau of browser and smuggling.
And I just kind of loosely defined it
as the misuse of a built-in browser feature
to transmit or receive data to or from another system.
And what do you outline here
in terms of potentials for automation?
Well, so, you know, I,
and you can do this without any sort of scripting
or anything like that,
but I did write a PowerShell
script called Brogomark that I have out there on GitHub. And what it does is it takes a raw text
file, Base64 encodes the data, splits it up into smaller strings, and then writes those strings as
bookmarks. And then from there, those bookmarks are instantly synchronized to any other signed-in
machine, which could be outside of your corporate network.
And BroganMark can then be used to reconstruct the original raw text file on that machine.
So are we primarily thinking about an insider threat here?
Because wouldn't folks on both sides of this need to have access to the user account?
Well, I mean, it could either be an insider threat or it could be an attacker who's already gained access to the internal network.
And maybe they're looking for another sort of covert way of getting the data out.
Or maybe they are unable to use some of the other methods that they're accustomed to using.
They're afraid of tripping some of the
detection mechanisms that they think that the organization might have. Right, right. Have you
seen any signs that this sort of technique has been used by anyone before your own research on it?
No, I have not. However, there was some research and the person's name, I'm not familiar with how to say it, so I'm going to butcher it.
But I think it's Bojan.
And then his last name starts with a Z.
I apologize.
But I just can't remember off the top of my head, but he had done some research into extensions that were being used as a command
and control channel with Google Chrome. And I had actually seen that research come out a little bit
before I started my own. And as I mentioned, I've been thinking about this for a few years,
but I hadn't done anything with it. And when I saw that, I was like, damn, someone beat me to
the punch. But as I read it, I saw that they
were sticking to the extension. So I thought, okay, well, go forward with bookmarks. But yeah.
What is your take on this? I mean, the fact that these browsers allow such long bookmarks, I mean,
that in itself seems a bit excessive. Yeah, it kind of seems wholly unnecessary, at least, you know,
especially from the perspective of, you know, say opera doing 3.1 million characters. You know,
I don't think anyone's saving bookmarks that are that long. Usually you have a bookmark that says
like Twitter or Google or whatever, right? So I definitely think that, you know, they could rein
in the character limit there, but at the end of the day, it doesn't really matter so much because it just means I have to use more bookmarks to save that data.
Right.
Because there isn't really a practical limit on the number of bookmarks you can have.
Yeah.
You know, it's funny you brought that up as well.
You know, it's funny you brought that up as well.
So what I found in my testing is that profiles could synchronize more than 200,000 bookmarks.
And I actually didn't find a ceiling.
I just had to cut the testing off at some point.
So, you know, suffice it to say that while some users might have, you know, 200,000 bookmarks or more,
I'm guessing that the average user probably doesn't come anywhere near that. Yeah, absolutely. So, I mean, what are your recommendations then?
I mean, to what degree do you think this is a serious threat and what should organizations
be mindful of? I mean, I probably wouldn't start panicking or anything. I mean, it's just another
thing that's out there, right? And it's not really
a vulnerability or a weakness. It's really just abusing a feature. You know, it's not a bug
by any means. It's a feature. But from a defense point of view, one of my recommendations, and
again, the research paper goes in depth there, but the first thing to do is to consider whether or not
an organization actually needs synchronization enabled, because
we can disable it in its entirety through group policy.
But the unfortunate problem there is that it probably
isn't a tenable solution for most organizations to disable that synchronization
functionality, because it is useful for their users, especially someone who's working on a laptop and then they got to go catch
a flight somewhere using their mobile phone to access company resources. So in lieu of disabling
it completely, a more reasonable option is to use this restrict sign-in to pattern policy that Google provides,
which allows you to specify email domains that are allowed to sign in. So we can limit the email
addresses to only those with a domain owned by the organization. You know, on that point too,
it's also important to note that those group policy options, they can be bypassed by just using another browser. Because I can go and
download and install a different Chromium browser without admin privileges.
So if you've got Google Chrome or Microsoft Edge in your environment,
I can go and download Brave or Opera or Vivaldi
and use that. And unless you have that restrict sign-in
to a pattern policy set for each of them,
I can just go and sign in with an attacker-controlled email
and go on my merry way.
So to solve that, we would really need to start seeing
application allow listing used a lot more often
because the only alternative is to be on the constant lookout
for unauthorized browser executables.
Yeah.
As you were making your way along this journey, the research that you did here,
were there any things that were particularly surprising or unexpected?
The number of characters in the bookmarks and the number of bookmarks that I could synchronize were certainly.
When I was testing that I could have over 200,000 bookmarks,
as I was climbing my way up there,
I noticed the browser really starting to chug a bit.
So, I mean, that was kind of interesting,
but nothing else really outside of that. Our thanks to David Prefer from the SANS Technology Institute for joining us.
The research is titled Bookmark Bruggling, Novel Data Exfiltration with BruggleMark.
We'll have a link in the show notes.
with Bruegelmark. We'll have a link in the show notes. Thank you. your company safe and compliant. The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand,
Liz Ervin, Elliot Peltzman, Trey Hester,
Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Thanks for listening.
We'll see you back here next week.