Hackers used a fake Forcepoint extension, leveraging the Google Chrome Sync feature, to exfiltrate data and send commands to infected browsers. “Some of the methods observed in analyzed code were pretty scary – from a defenders point of view,” researcher Bojan Zdrnja says. The extension had nothing to do with Forcepoint – the attackers just used the logo and the name. In February, Google removed 500 Chrome extensions from its online store after researchers found that attackers were using them to steal browser data.”]
Source: https://www.govinfosecurity.com/data-exfiltration-enabled-by-google-chrome-sync-extension-a-15952