Browse archive

Latest news

Fighting cybercrime is on the right track

Google set to upgrade its SSL certs

IT security pros have trouble communicating with executives

Zeus variants are back with a vengeance

Facebook phishers target Fan Pages owners

Killer apps: The performance of networked applications

Is it time to professionalize information security?

Google researcher reveals another Windows 0-day

Twitter finally offers 2-factor authentication

DHS employees' info possibly compromised due to system flaw

Teens are into online sharing, but are also more privacy-aware

The dangers of downloading software from unofficial sites

Microsoft decrypts Skype comms to detect malicious links

Review: Logging and Log Management

Hacking charge stations for electric cars

When syncing sinks your browser

by Rob Rachwald - Imperva - Thursday, 31 May 2012.

Google Chrome's most recent version (v19) introduced a "tab sync" feature. When inspecting this feature from a security perspective we realized that a new type of threat can allow a hacker to comfortably "leap" from a compromised home computer to a work computer. We name this kind of threat BYOB for "Bring Your Own Browser." Today, mobile devices mix work data and personal end points and the BYOB does exactly the same thing only it's more elusive as there's no physical device involved.

Let's start with the view of browser syncing according to Google:

Say you’ve found an awesome recipe on your work computer while... ahem... working hard at the office. But when you get back home, you can’t quite remember if it was two teaspoons of baking soda or two teaspoons of baking powder. Wouldn’t it be cool if you could pull up the same recipe on your home computer with one click?

With today’s Stable release of Chrome, you can. When you’re signed into Chrome, your open tabs are synced across all your devices, so you can quickly access them from the “Other devices” menu on the New Tab page. If you’ve got Chrome for Android Beta, you can open the same recipe tab right on your phone when you run out to the store for more ingredients. The back and forward buttons will even work, so you can pick up browsing right where you left off.

Open tabs aren’t the only things that sync when you sign in to Chrome. Signing in to Chrome also syncs your bookmarks, apps, extensions, history, themes, and other settings. That way, when you sign in to Chrome, you can have your personal Chrome experience on all your devices. Just go to the Chrome menu and select “Sign in to Chrome.

When you signing into chrome, what gets synced? By default, everything:

If a user follows the default setting and all information gets synced, what can get compromised? There are two main groups:

1. Personal data. For example, the auto fill feature remembers the addresses and credit cards details the user has typed in. The good news? We had found out the credit cards details are not synced across accounts. We are not sure if it's done by design, as we weren’t able to find official reference for that behavior.