With more and more people working from many more devices in many different locations, tab sync could be a boon. “When you’re signed in to Chrome,” announced Google, “your open tabs are synced across all your devices, so you can quickly access them from the ‘Other devices’ menu on the New Tab page.”
(Don’t panic if you can’t find it, ‘the tab sync feature will be rolled out... gradually over the coming weeks’.) But Google also adds, “Signing in to Chrome also syncs your bookmarks, apps, extensions, history, themes, and other settings.” This is what bothers Imperva, which sees two potential areas of compromise: personal data and browser behavior. More specifically, it says, “It provides the hacker with a simple way to leap from the victim's home environment (usually very insecure) to work environment (usually secured – updated AV and other end point solutions).”
Imperva gives an example: “The user is signed in to Chrome on both work and home computers. The home computer gets infected by a malware. Now all of the work synced data (such as work-related passwords) is owned by the malware.” Imperva continues with two possible but specific exploits. First, if the home computer malware were to install a rogue extension, syncing would automatically copy it to the work computer where, for example, “it can send every page you visit to the hackers website.”
A variation could be the malware diverting the home computer’s home page to a malware infection site before returning to the legitimate home page (thus disguising that it ever happened). Sync would ensure that exactly the same would happen on the work computer, and a zero-day infection from the malicious site may well succeed even on the better-protected work computer. “Even if the malware gets disinfected on work computer,” adds Imperva, “the malware is able to infect over and over again – as the root cause of the infection (=The home computer) is outside of the reach of the IT department.”
This last concern, however, is only relevant if the re-infection were by a different zero-day each time. Once the work computer has been disinfected, by definition, it is no longer zero-day. So, as David Harley, a senior research fellow at ESET, told Infosecurity, this particular scenario is “not necessarily, nor even particularly, likely. If the work computer has been disinfected, surely on-access scanning should pick up subsequent attempts to re-infect?”
In fairness to Google, it is not causing a problem; it is providing a new tool to improve personal productivity. Nevertheless, careless or thoughtless use of that tool could cause new problems at work – BYOB is just another problem to be solved in the corporate BYOD policy.