Browser sync—what are the risks of turning it on?

Browser sync—what are the risks of turning it on?

Modern browsers include synchronization features (like Google Chrome’s Sync) so that all your browsers, on all your devices, share the same tabs, passwords, plugins, and other features. While this is certainly convenient, particularly when you’re migrating to a new device, synchronizing browsers also comes with some risks.

What is browser sync?

Browser syncing was introduced in 2012 by Chrome with the goal of letting you continue at home where you left off at work, and vice versa. Since then, other browsers have introduced similar features. There are slight differences between them when it comes what you can synchronize, but the basics are pretty much the same for most of them.

When Chrome Sync is toggled on, the synchronised information includes bookmarks, passwords, history, open tabs, settings, preferences, and, in some cases, even payment information saved in Google Pay.

Firefox lets you synchronize your data and preferences—such as your bookmarks, history, passwords, open tabs, and installed add-ons—across all your devices.

Microsoft Edge can synchronize your favorites, passwords, and other browser data—including payment information—across all your signed-in devices.

Opera lets users synchronize their bookmarks, settings, and open tabs between mobile and desktop browsers. Earlier, Opera required users to create an account and sign in on both platforms, or use the more limited “Opera Touch” app in order to do so. After users install the latest Android and desktop updates, however, they can synchronize all that data across devices within the core apps using a QR code, no need for an account.

Sharing with strangers

Synchronized data can include browser history, bookmarks, passwords, cookies, and other information that users consider private and typically have no intention of sharing with anyone else. Password, cookie and payment card secrecy is also important for security. Browser synchronization increases the risk of you inadvertently sharing that information with other users of the computers you sync between.

It’s important to consider whether you are truly the only user of a system that is set to synchronize. Imagine what can happen if your kids are playing with your home laptop and it synchronizes to your work system.

You should also consider the risk of your device being lost or stolen but continuing to sync your information to the thief (as if there wasn’t enough stress involved in losing a device.)

Another thing to consider before synchronizing is that having a universal ID for all your systems can lead a hacker from one of your systems to all of them!

Spreading danger

Security threats can also be copied from one device to another, in the form of malicious extensions (also called plugins or add-ons), and open tabs.

Malware in the form of browser extensions is relatively rare, but it does happen. We have seen infected JavaScript-based extensions with malicious code that made it possible to introduce malware to an affected system.

Google regularly has to clear out bad extensions from its Chrome Web Store. While many of those extensions would fall into the categories of Potentially Unwanted Programs (PUPs) or adware, they can still cause problems and many would be frowned upon if you introduced them into your work environment by synchronizing from your home browser.

Open tabs are potentially even more risky. While most browsers have built-in methods to get out of browlocks, copying them to another device is undesirable.

Differences in patching and security software between machines can also create opportunities for threats to thrive. While a malicious website might be harmless on your personal device, because of local protection, it might seize the opportunity if the tab it’s in is synchronized to a work device that relies on different security measures.

Cloud privacy issues

Another reason why some people dislike the idea of synchronizing browsers is because the synchronized data isn’t just shared between devices, it’s also stored in the cloud, under the control of the browser vendor.

Not all browsers are the same here. The popular Firefox browser encrypts your data locally—with a cryptographically secure, randomly generated key—before storing it in the cloud, so it can’t read your information. Chrome users who want similar protection must set a passphrase.

People who just don’t like that idea of sharing their information with browser vendors, even if it’s encrypted, can use specialized software that promises to synchronize your browser data in a more secure way.

Chrome disables sync API for third-parties

Recently a story that is sideways related hit the news. Google issued a statement saying that it will block third-party Chromium web browsers from using private Google APIs that were only intended for Chome. (Chromium is an open source project run by Google that provides most of the code for Google Chrome, and forms the basis of other popular browsers like Microsoft Edge and Brave.)

Google Chrome Engineering Director Jochen Eisinger stated:

“During a recent audit, we discovered that some third-party Chromium-based browsers were able to integrate Google features, such as Chrome sync and Click to Call, that are only intended for Google’s use.”

Google will limit 3rd party Chromium browsers from accessing private Chrome APIs starting March 15, 2021. However, Google says that users who have accessed private Google features such as Chrome Sync while using third-party browsers will still be able to access the synchronized data locally or in their Google account, depending on their settings. And if you should decide to look into the third-party alternatives we talked about earlier, you will find that some of these will provide you with options to synchronize other Chromium browsers.

An informed decision

An informed decision is all we can hope to offer you. Before you decide it’s safe to synchronize your browser data, these are the questions we would like you to ask:

  • Is the owner of the two devices the same? If this is not the case, it wouldn’t hurt to ask for permission first.
  • Is the main user of the two devices the same person? If not, synchronizing could leak data, or be considered spying on someone.
  • Do you trust the provider of the synchronization service and its cloud facility to handle your data with care?
  • What are the chances of carrying over malicious content from one device to another? Are both devices equally well protected?

Asking these questions will remind you of what could go wrong and help you decide whether it is worth it.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.