4

Can Chrome sync be infected by malware? I cannot imagine how, but a particular unproven example that comes in mind is to change the "preferences", so that a malicious proxy server is added.

Another one might be to add some malicious web page bookmarks that load as closed tabs or in the "new tab", "speed dial" section. In both the above unproven examples, malicious information is stored at the Google's servers and it is synced with your browser.

Are those examples applicable? Is there any other ways to infect Chrome sync?

P.S.: I hope those examples I wrote already exist (if they are applicable) and not give ideas to hackers on how to proliferate their malware.

Vilican
  • 2,703
  • 8
  • 21
  • 35
pgmank
  • 415
  • 6
  • 13
  • It can most certainly happen, There has been browser hijacks that span across the users other computers using chrome. one popular one is the Trovi virus. Trovi does indeed pass on hijacked browser bookmarks onto your other devices. This isn't new, homepages have been hijacked and then propagated to other systems using your google account user. And this is why I use Firefox only. – Cameron Does Things Dec 23 '15 at 21:24
  • How exactly would Firefox prevent this? Firefox has its own sync feature. Bookmarks, settings, extensions and more get synced in Firefox as well (I use it all the time for open tab syncing). You can turn off sync in both browsers if you don't like it. – Ben Jan 26 '20 at 15:34

4 Answers4

4

Generally, yes, it can. You can even find instructions about how to fix this problem.

More specifically, Chrome sync synchronizes (per the advanced sync settings of Chrome v.47):

  • Apps and extensions
  • Autofill information
  • Bookmarks
  • History
  • Passwords
  • Settings
  • Open tabs
  • Themes

If any of those can be maliciously manipulated, it will likely be spread by Chrome sync. Here's malicious activities that I can think of; I'm sure there are more:

  • Apps and extensions - Many, many ways to do bad stuff here. These can open windows, alter page contents, redirect pages, etc...
  • Autofill information - An attacker could try to have online orders shipped to the their address or fill in other information.
  • Bookmarks - Alter your bookmarks to go to attacker's site.
  • History - As this is used for completion, you can misdirect the user when typing an URL to go to the attacker's URL.
  • Passwords - Assuming you can only set passwords and not get them, all that I can think of is that an attacker could trick a user into logging into a site as the attacker. Presumably the user would enter confidential information or do something else that would be of value to the attacker.
  • Settings - You mention proxies. Therer's also the settings for the new tab and home pages. I'm sure there's more.
  • Open tabs - Open pages with malicious content or downloads on remote devices.
  • Themes - Can't think of much. Perhaps change the user's theme to lots of cats?

Destroying data in Chrome sync may also be a way to spread malicious activity. For example, just deleting all of a user's bookmarks could cause great pain for bookmark-heavy users.

While every piece of browser malware may not be applicable to being synced across instances, certainly there are many ways to do it.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • Can I ask what do you mean by *Assuming you can only set passwords and not get them*? Doesn't Chrome sync passwords? – SarpSTA Sep 07 '16 at 21:11
  • @SarpSTA - at least to me, the OP seems to be focused on spreading malicious intent via Chrome sync. That is, an attacker gets control of one browser and sets some data that will be synced. This data will then infect other synced browsers on different computers. So that's what I focused my answer on. There is no doubt that there is lots of confidential data in your browser (eg: passwords, session cookies, data on web pages) that would be very bad to let fall into the wrong hands. But I think that's a different question. – Neil Smithline Sep 07 '16 at 21:53
0

Yes, this happened to me when I installed a fake malicious chrome ledger extension(CryptoCurrencyStealer). I had another computer with chrome synced and it once I booted up the other computer it synced and added the extension. Syncing is very convenient but Id rather be safe and and unsync chrome across all my systems. Its very scary especially when dealing with crypto wallets.

Stbean
  • 1
-1

yes. I sold my friend a pristine chromebook. in less than week, plugging in a phone that had some malware or other infected the chromebook. I was using it a bit, and my own data got briefly and slightly infected. i'm not educated. I just solve things by poking around, googling, and never giving up. somehow I shook off the infection. I was going to help friend clean the Chromebook (powerwashed twice, but as you note, kind of, by asking the question, it's syncing infected files so power wash is no help

iquanyin
  • 1
  • 2
-1

To add to Neil's answer. The "default search engines" feature of Chrome can also be infected.
I've created a working exploit and notified Google about the issue but they don't seem to be taking it too seriously.
Always check your "default search engines" in settings to ensure nothing abnormal is going on.
I believe IE and Firefox have protection mechanisms in place for this but Chrome does not.

16b7195abb140a3929bbc322d1c6f1
  • 3,334
  • 4
  • 15
  • 20