Targeting your browser bookmarks?
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
David Prefer: You know, I actually had this idea sort of come to me a few years back, actually, where I was contemplating how there are some extremely common applications that most organizations are likely to be using, and then sort of wondering to myself, you know, how many of those have an inherent need to communicate with or access resources outside of the corporate network? And so that kind of drew my attention to browsers and what functions might exist that, you know, may not have been given much attention in that regard.
Dave Bittner: That's David Prefer. He's a student at the SANS Technology Institute. The research we're discussing today is titled "Bookmark Bruggling: Novel Data Exfiltration with Brugglemark."
Dave Bittner: Well, I think it's fair to say that browsers certainly at this point are fairly sophisticated. I've heard some people refer to them as almost being operating systems in their own right. I mean, what sorts of functions drew your attention?
David Prefer: I mean, I was just kind of thinking of anything, but what came to my mind actually was bookmarks, like, actually just almost right out of the gate. Yeah, I mean - well, and one of the things that came before that was search history. So, you know, whatever you type into, say, Google or whatever, in, you know, Google Chrome or Microsoft Edge and stuff like that - you know, that all gets, you know, saved offline by the browser. And, you know, bookmarks I started looking at there, and it turns out that, you know, does the same thing, too.
Dave Bittner: Well, explain for us, for folks who may not be familiar with it, how exactly does this bookmark synchronization work?
David Prefer: When you sign into your account in Google Chrome or whatever browser that you're using, it synchronizes to clients - or clients4.google.com. The full URL is in the research paper. Each synchronization that occurs generates an HTTP post request to clients4.google.com. And profiles can then, you know, when you're signed in there, synchronize bookmarks and history and extensions, themes, whatever you want, back-and-forth with Google.
Dave Bittner: And so, I mean, this is for the user's convenience. So if you're using multiple devices or a desktop device, a mobile device, it all syncs automatically. And in general, this is a good thing.
David Prefer: Yeah. Oh, yeah, it does wonders for usability.
Dave Bittner: So what was the issue here that you're exploring, the potential vulnerability?
David Prefer: Yeah. So I mean, the way it works is, you know, when, again, you know, browsers feature those built-in synchronization capabilities and bookmarks, they offer - you know, it's a user-controlled function, right? So as a user, I can just go in and save a bookmark for any website I want and give that bookmark whatever name I want to give it. It's completely up to me and only me as a user. And so when you've got that sort of flexibility and you combine it with a synchronization function, then you have a workable channel for data exfiltration, right? So - and browsers are this - you know, again, it's this usability thing, right? So browsers are inherently a consumer-first technology, and, you know, that's what their goal is there, right?
Dave Bittner: Yeah. So let's walk through what you all discovered here. I mean, let's go through it step by step. How did you go about this research?
David Prefer: Yeah. So I first kind of started out by testing, what could I actually put in bookmarks? And it turns out, you know, pretty much anything. And I just stayed to the, you know, ASCII character set, which I didn't have any problems with. But I started testing, you know, how many characters can I store in a single bookmark? And there isn't an actual hard limit as far as what you can save as a bookmark. But there is a limit in that a bookmark that has an excessively long name or URL won't synchronize. They only persist locally, so it'll never synchronize to any of your other computers if it's too long. But if you stay within certain confines, they will, and they synchronize instantly. And when I did my testing, I looked at Chrome, Edge, Brave and Opera. And each of them had some very different limits. And I won't bore you with the details, but where Google will only allow roughly 9,000 or 9,300 characters per bookmark to synchronize, I was able to do 300,000 with Brave. And with Opera, I could do 3.1 million characters per bookmark. Which is kind of...
Dave Bittner: Wow (laughter).
David Prefer: Yeah (laughter).
Dave Bittner: That's a heck of a descriptive bookmark, isn't it? (Laughter).
David Prefer: (Laughter).
Dave Bittner: I mean, you might as well just put the whole book in there.
David Prefer: Well, you know, it's funny that you say that, because to give you the perspective there, I used the 1932 novel "Brave New World" by Aldous Huxley as my test base there. And it took roughly 60 bookmarks in Chrome. And that was about 500,000-some-odd characters in length when I Base64 encoded it. So, you know, for Opera, you could fit that book in there three times (laughter)...
Dave Bittner: Wow.
David Prefer: ...At least.
Dave Bittner: So, I mean, I'm starting to see the issue here. I mean, if I'm someone who's charged with defending my organization against things like exfiltration, I have this user-controlled element. And everyone needs to use their browsers for day-to-day business stuff, but here's a way that data can be sent out of the organization without really any monitoring. Yes?
David Prefer: I mean, there is - I mean, you - some - and I get into it in my paper - but, you know, there are a few things that you can do from a defensive perspective. So for monitoring, and then to your point, you know, you really can't go wrong with decrypted traffic inspection. And most organizations are likely to already have a forward proxy in place that can handle that. But whether or not they're looking at the browser synchronization traffic, you know, that's another thing, right?
Dave Bittner: So let's talk about some of the terms here. Bruggling, what does that mean?
David Prefer: Yeah, so it's just portmanteau of browser and smuggling. And I just kind of loosely defined it as the misuse of a built-in browser feature to transmit or receive data to or from another system.
Dave Bittner: And what are your - what do you outline here in terms of potentials for automation?
David Prefer: Well, so, you know, I - and you can do this without any sort of scripting or anything like that, but I did write a PowerShell script called Brugglemark that I have out there on GitHub. And what it does is it takes a raw text file, Base64 encodes the data, splits it up into smaller strings and then writes those strings as bookmarks. And then from there, those bookmarks are instantly synchronized to any other signed-in machine, which, you know, could be outside of your corporate network. And Brugglemark can then be used to reconstruct the original raw text file on that machine.
Dave Bittner: So are we primarily thinking about like an insider threat here? Because wouldn't folks on both sides of this need to have access to the user account?
David Prefer: Well, yeah, I mean, it could either be an insider threat, or it could be an attacker who's already gained access to the internal network. And, you know, maybe they're looking for another sort of covert way of getting the data out. Or maybe they are, you know, unable to use some of the other methods that they're accustomed to using. They're afraid of, you know, tripping, you know, some of the detection mechanisms that they think that the organization might have.
Dave Bittner: Right. Right. Have you seen any signs that this sort of technique is being used by anyone before your own research on it?
David Prefer: No, I have not. However, there was some research, and I'm - the person's name, I'm not familiar with how to say it, so I'm going to butcher it. But I think it's Bojan, and then his last name starts with a Z, I apologize. But I just can't remember off the top of my head. But he had done some research into extensions that were being used for - as a command-and-control channel with Google Chrome. And I actually seen that research come out a little bit before I started my own. And as I mentioned, I've been thinking about this for a few years, but I hadn't done anything with it. And when I saw it, I was like, damn, you know, someone beat me to the punch (laughter). But as I read it, I saw that they were sticking to the extension. So I thought, OK, well, I'll go forward with bookmarks but, yeah.
Dave Bittner: What is your take on this? I mean, the fact that these browsers allow such long bookmarks, I mean, that, in itself, seems a bit excessive.
David Prefer: Yeah, it kind of seems wholly unnecessary, at least - you know, especially from the perspective of, you know, say, Opera doing 3.1 million characters. You know, no one - I don't think anyone's saving bookmarks that are that long. Usually, you have a bookmark that says, like, Twitter or Google or whatever, right? So I definitely think that, you know, they could rein in the character limit there. But at the end of the day, it doesn't really matter so much because it just means I have to use more bookmarks to save that data, right?
Dave Bittner: Right. Because there isn't really a practical limit on the number of bookmarks you can have.
David Prefer: Yeah. You know, it's funny you brought that up as well.
David Prefer: So what I found in my testing is that profiles could synchronize more than 200,000 bookmarks. And I actually didn't find a ceiling. I just had to cut the testing off at some point. So, you know, suffice it to say, that while some users might have, you know, 200,000 bookmarks or more, I'm guessing that the average user probably doesn't come anywhere near that.
Dave Bittner: Yeah, absolutely. So, I mean, what are your recommendations then? I mean, to what degree do you think this is a serious threat, and what should organizations be mindful of?
David Prefer: I mean, I probably wouldn't start panicking or anything. I mean, it's just another thing that's out there, right? And it's not really a vulnerability or a weakness. It's really just abusing a feature. You know, it's not a bug by any means. It's a feature. But from a defense point of view, one of my recommendations - and, again, the research paper goes in-depth there - but, you know, the first thing to do is to consider whether or not an organization actually needs synchronization enabled. Because we can disable it in its entirety through group policy. But, you know, the unfortunate problem there is that it probably isn't a tenable solution for most organizations to disable that synchronization functionality because it is useful for their users, especially, you know, someone who's working on a laptop and then they got to go catch a flight somewhere, you know, using their mobile phone to access company resources. So in lieu of disabling it completely, a more reasonable option is to use this restrict sign-into pattern policy that Google provides, which allows you to specify email domains that are allowed to sign in. So we can limit the email addresses to only those with the domain owned by the organization.
David Prefer: You know, on that point too, it's also important to note that those group policy options, they can be bypassed by just using another browser. Because I can go and download and install a different Chromium browser without admin privileges. So if you've got Google Chrome or Microsoft Edge in your environment, I can go and download Brave or Opera or Vivaldi and use that. And unless you have that restrict sign-in pattern policy set for each of them, I can just go and sign in with, you know, an attacker-controlled email and go on my merry way. So to solve that, it - you know, we would really need to start seeing, you know, application allow listing used a lot more often. Because the only alternative is to be on the constant lookout for unauthorized browser executables.
Dave Bittner: Yeah. You know, as you were making your way along this journey, the research that you did here, were there any things that were particularly surprising or unexpected?
David Prefer: The number of characters in the bookmarks and the number of bookmarks that I could synchronize were certainly - you know, I - when I was testing, you know, that I can have over 200,000 bookmarks, as I was climbing my way up there, I noticed the browser, like, really starting to chug a bit. So, I mean, that was kind of interesting, but nothing else really outside of that.
Dave Bittner: Our thanks to David Prefer from the SANS Technology Institute for joining us. The research is titled "Bookmark Bruggling: Novel Data Exfiltration with Brugglemark." We'll have a link in the show notes.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Ervin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.