Security Experts:

Browser Sync - When Your Browser Brings Your Own Device to Work

How Browser Sync Features Can Pose a Risk to The Enterprise

Until recently, controlling the endpoint was the cornerstone of any enterprise security program to protect business data. The organization’s IT department was the only source for computing devices, which allowed it to apply security policies by installing certain application (e.g., antivirus software, security patches) and denying others deemed problematic (e.g., file sharing). Since the company owned the devices, it was also aware of the physical whereabouts of the device. Had the device been stolen or lost, the employee had to report it.

Risks via Web Browser SyncHowever, the emerging trend of “IT consumerization” or “Bring Your Own Device” (BYOD) is changing the status quo of enterprises networks. Wikipedia defines BYOD as “employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers, and databases.”

While the BYOD trend offers many advantages to the organization (e.g., shifting IT cost to employees and having state-of-the-art hardware), it also brings some serious concerns from an information security perspective as the IT department no longer has full control over the endpoint. Due to these concerns, some organizations refrain from BYOD and stick to the more traditional model.

But in some cases, new browser capabilities enable employees to essentially bypass an anti-BYOD policy. How? Employees can use a more subtle BYOD phenomena which doesn’t include bringing a physical device to work, but rather using the browser’s synchronization feature.

The Browser is the new OS

In the early days of the World Wide Web, the browser was a simple application made to just to fetch static pages and browsing the web was just another thing a users would do on their computer. Since then, a lot has changed, and now the web is commonly the primary reason to have a computer as it delivers functionality rich applications and open new connectivity options.

Naturally, the browser had to evolve to support it. A modern browser, such as the Google Chrome browser, includes features that were traditionally considered to be the sole property of the Operating System (OS). In fact, Google OS and Chrome browser share many features among them. Such features include installing and running applications downloaded from Google’s web store , accessing hardware devices (chrome 21 adds native support for webcams) and managing offline storage (HTML5 offline storage).

Another important addition over the basic browser’s model is the browser synchronization feature. It enables the user to sign in to Google’s web site and automatically synchronize all of the signed in devices. The following information gets synchronized across the devices – apps and extensions, personal browser information such as passwords, history, open tabs, bookmarks, autofill information and the browser’s internal settings.

Figure 1- Chrome 21 sync settings

Chrome Browser Sync Security Vulnerabilities

Such level of synchronization really brings BYOD hazards to the enterprise internal network environment. When the user is signing in from both his or her work computer and personal Android mobile phone, they can unwittingly expose their work computer. Business sensitive data such as passwords can be sent to the personal device and extensions from the personal device can be automatically installed on the company-owned computer.

If the personal device gets stolen, some business sensitive data can be taken from it and the IT department never gets any reports of the incident, since this is a privately owned device. If there’s a virus on the personal device it can leap from the personal environment to the enterprise’s environment by abusing the automatic extension synchronization and installing a malicious extension.

The bottom line –BYOD can happen even if the private device is not physically brought to the work environment.

Shifting the weight from endpoint based security to server based security

Surely, enterprises can thwart this specific case of BYOD by browser sync, by blocking browser syncing either with technology or with corporate policy. However, fighting for the endpoint’s security is an uphill battle at best, if not a lost cause.

A possible solution is to stop the “cat and mouse” game between the IT department and the users, allow the users to bring their own devices and accept the fact that endpoint can no longer be considered as safe (and in fact they weren’t very safe even before BYOD). Instead, the data security should be based on the servers that store the information. In other words, don’t focus on the mice, focus on the cheese. The server will protect its data by using various methods such as the online scanning of the endpoint for relevant malware, wrapping the data so it cannot be copied and sent, verifying the user with various authentication methods and not the endpoint.

This paradigm change, as with any other paradigm change, might be hard to stomach in the beginning but it’s seems to be eventually inevitable.

view counter
Tal Be’ery is a Senior Security Research Manager in Microsoft, formerly the VP of Research at Aorato (acquired by Microsoft), developing Microsoft Advanced Threat Analytics (ATA). Previously, Tal managed various security project teams in several companies. Tal holds a B.Sc and an M.Sc degree in Electrical Engineering and Computer Science and is a Certified Information Systems Security Professional (CISSP). He is the lead author of the TIME attack against HTTPS, has been a speaker at security industry events including RSA, Blackhat and AusCERT and was included by Facebook in their whitehat security researchers list. (Twitter: @talbeerysec)