Exfiltrating data via browser bookmark sync

SANS Institute published research by David Prefer indicating how modern browsers featuring bookmark synchronization can be leveraged to surreptitiously exfiltrate data from a compromised system.

The technique relies on the bookmark synchronization feature in all modern browsers, which can be weaponized by carefully constructing bookmark files featuring base64 encoded content. This content will immediately be uploaded to the synchronization server under the attacker's account.

The technique shows how legitimate features can be used to hide the attackers actions in a compromised endpoint.

Again, endpoint introspection is crucial here and highlights why endpoint based checks featured in EDR/XDR or even ZTNA software clients are the best bet for defending against such techniques.

Monitoring such activities on network level alone is exceedingly difficult (even if TLS inspection is turned on for the legitimate browser sync servers). However, on the endpoint (software client) level there are many unusual activities that EDR or behavior monitoring software can include into its threat indicators: for ex. monitoring the creation of exceedingly large JSON files associated with Chromium bookmark format, or the creation of unusually numerous bookmark file (which indicates exfiltration via this channel), etc.

Read the SANS published research paper for more on this technique. The researcher has also created a Powershell script that illustrates the attack.