Storing corporate and personal information, accounts, and files on separate devices is one of the most popular (and effective!) tips for information security. Many companies set this as a mandatory requirement for all employees. A natural extension of such policy is prohibiting data sharing between work and home computers via services like Dropbox, and recommending not to register personal accounts (for example, in online stores) to work e-mail. Often, neither users nor administrators consider another place where home and work intersect — in web browser settings.
Suggestions to enable Chrome browser synchronization using a Google cloud account pop up from day one, and in fact, Chrome often enables it automatically after the user logs in to Gmail or Google Docs. In Firefox and Edge, syncing is less obtrusive, but it exists and is also offered. At first glance, having synced bookmarks is convenient and not risky, but attackers think otherwise, of course.
How browser synchronization can be risky
Firstly, your cloud profile contains quite a lot of information. In addition to a list of bookmarks and open tabs, browsers also synchronize passwords and extensions between computers. Therefore, attackers compromising an employee’s home computer can gain access to a number of work passwords. And if a user installs a malicious extension at home, it will automatically appear on the work computer. These are not hypothetical attacks. It was password synchronization in Google Chrome that led to the compromising of information-security giant Cisco, while malicious extensions disguised as corporate security were used to steal Oauth authentication tokens.
Secondly, malicious extensions can be used for data exfiltration from an infected computer. As soon as the Chrome browser communicates with Google’s legitimate infrastructure here, an attack may go on a long time without generating warnings from network defenses.
How to secure office computers against browser synchronization
System administrators have to take a number of measures to effectively address the threat posed by browser synchronization:
- Use browsers that support centralized security policy settings (Google Chrome, Firefox)
- At the security policy level, disable profile synchronization
- Again at policy level, prohibit saving passwords in the browser (a specialized password manager is preferable)
- If necessary, limit the installation of browser extensions to a list of trusted extensions, or prohibit it altogether
Last but not least, educate employees well in advance. Explain why they should only use corporate browsers, and why they mustn’t save passwords in the browser and synchronize bookmarks with their home computers. Allow some time for adaptation, and then apply the new policies. If for some reason an organization cannot implement corporate browser builds, employee training remains the only and key means of protection.