Browser sync is a neat feature provided by all major web browsers. This allows a user to share many resources and configurations between devices which is nice. Info such as bookmarks, browsing history, opened tabs, credentials (user & password), extensions et cetera are shared between all your devices.
Things start to get messy when the line between personal/corporate devices starts to dissipate. If a user logs on with his personal user on a “corporate browser” what could happen? You don’t need to get too creative to imagine the damage:
Credentials saved locally on the browser (another known bad habit…) will be shared to other unsecure devices;
Bookmarks, browser history and opened tabs could be a good hint for lateral movement and this could get even worse if an attacker had the credentials… Oh, wait!
Extensions come and go during the sync process. Unsanctioned extensions will be installed on the corporate browser. Nothing to worry about unless you are talking about malicious extensions.
The issue here is that sensible information is being exfiltrated right under our noses to a kind of unknown location, well it is not really unknown as it is YOUR home.
In theory you should apply configurations to mitigate the matter, but it is easier said than done: how to control browsers and block their conversations to the mothership and subsequent spread to less secure devices?
SSL Inspection and URL Filtering Policies to the rescue!
SSL inspection will provide the required visibility on the commands a browser executes during the sync process. URL filtering will block the undesired behavior.
So, Google Chrome relies on the following keywords* on the URL to perform the sync:
Microsoft Edge is quite the same:
Create a Custom URL Category with the above keywords:
Add it to a blocking URL filtering rule and you are good to go.
Don’t forget to activate the changes!