The web browser is inarguably the most common portal for users to access the internet for any given array of consumer or business purposes. Innovative advances have allowed many traditional “thick client” apps to be replaced by the browser, enhancing its usability and ubiquity. User-friendly features such as recording browsing history, saving credentials and enhancing visitor engagement through the use of cookies have all helped the browser become a “one stop shopping” experience
However, the browser also has the potential to betray the user through the very same options which are intended to make life easier since it serves as a ripe target for the theft of confidential data because it holds so many proverbial eggs in its basket.
Security intelligence organization Exabeam conducted some recent research to analyze dozens of popular websites such as Google, Facebook, Amazon, and others to determine what kind of user data is stored when interacting with these entities. They found a significant amount of user information kept both on local storage and in the browser.
As a result, Exabeam released a recent blog post which outlines some of the ways your browser can be used against you along with recommended techniques to stay safe.
Here is a summary of their findings along with some other tips for protection:
1.Accessing browser history
Your browser history is a veritable map of where you go on the internet and for what purpose. And it’s not only possible to tell where you’ve been, but when you’ve been there, establishing your behavioral patterns.
Knowing you access certain sites can lead to phishing attacks against you to obtain your credentials for those sites (assuming you haven’t stored this information in the browser), establishing your purchasing habits (for instance if you are a football fan and visit NFL sites, your credit card company isn’t likely to raise an eyebrow if a slew of charges for football merchandise start showing up on your compromised credit card) or even blackmail if the site(s) in question prove illegal or unethical, or allegations thereof can be made.
Recommendations:
Clearing the browser cache is a good way to flush potentially damaging information, especially after engaging in confidential activities such as conducting online banking. This can be performed manually or set to do so automatically such as when closing the browser (Google the details for your browser version and operating system to carry out this and the other recommendations as the steps involved may be subject to change).
Use incognito mode (private browsing) since no harvestable data is stored (if you must use a public system, always make sure to do so with incognito mode).
SEE: Nine ways to disappear from the internet (free PDF) (TechRepublic)
2.Harvesting saved login credentials
Saved logins paired with bookmarks for the associated sites you visit are a deadly combination. Two mouse clicks might be all it takes for a criminal to have access to your banking/credit card website. Some sites do use two-factor authentication, such as texting access codes to your mobile phone, but many of them utilize this on a one-time basis so you can confirm your identity on the system you’re connecting from. Unfortunately, that system is then deemed trusted, so subsequent access may go entirely unchallenged.
Saved credentials associated with your email account is basically like Kryptonite to Superman in a scenario like this. An attacker who can get into your email can reset your password on almost any other website you access. And keep in mind they might not need to be on your system to do so – if they obtain your email address and password they can work at leisure from any other system they choose.
Just taking a series of screenshots (or even utilizing the camera on a mobile phone) can allow an attacker on your system to record all of your saved passwords. Firefox lets you view these quite easily. While Chrome at least requests your logon password to do so, as stated resetting this is quite easy with administrative access (which can be simple to obtain thanks to password reset utilities such as Offline NT Password and Registry Editor).
Recommendations:
Don’t save credentials in the browser. Instead, take advantage of free password managers such as KeePass or Password Safe to store passwords (never write them down) via a central master password. These password managers can securely store all your website passwords. A password manager can even access a saved URL and login for you, adding to the convenience and security of your information.
3.Obtaining autofill information
Autofill information can also be deadly. Chrome can save your home address information to make it easier to shop online, but what if your device fell into the wrong hands? Now an attacker knows where you live – and probably whether you’re home.
Recommendations:
Turn off autofill for any confidential or personal details.
SEE: Password management policy (Tech Pro Research)
4.Analyzing cookies
Cookies (files stored locally which identify users/link them to sites) are another potential attack vector. Like the browsing history, they can reveal where you go and what your account name might be.
As with #1, incognito mode can also come in handy here.
Recommendations:
Disabling cookies is touted as a potential solution, but this has been a problematic “fix” for years since many sites depend on cookies or at least severely limit your functionality (or possibly annoy you with nagging prompts) if these are turned off.
Instead, purging cookies periodically can help protect you, though be prepared to enter information repeatedly as prompted by websites.
5.Exploring the browser cache
The browser cache involves storing sections of web pages for easier access/loading on subsequent visits, which can outline where you’ve been and what you’ve seen. Malware can be tailored to prey upon cache data as well.
Exabeam also considered location history and device discovery to be risky elements in their blog post, stating these could expose user location and other devices used.
Recommendations:
As with #1 and #4, incognito mode can also come in handy here, or manually clear the cache as needed, particularly after sensitive operations.
Some other suggestions
I strongly support setting and utilizing complex passwords on your devices which are rotated periodically, and always encrypt local storage devices, especially on portable systems, to reduce the risk of access to browser data.
Use physical security such as cable locks for laptops, and always lock the screen of your systems when not in use (I do this on my home Windows PC as well). Don’t share machines/passwords with other people.
Take advantage of two-factor authentication where possible and set up recovery accounts where possible for your website accounts, and specify your mobile number and security questions for password resets. Be on the lookout for suspicious activity like emails about new accounts or password resets you didn’t request.
Some sites like Facebook can tell who is currently logged into your account (go to Settings then Security and Login), so check these details periodically – especially if anything out of the ordinary is going on.
Exabeam also recommends utilizing anti-malware software which is routinely updated along with several browser-related options (Google your browser and operating system version for the specific details on how to enact these as settings may change).
Users should also consider changing browser settings to further protect their privacy, or at least analyzing them to be aware of what options are currently enabled/disabled. There are guides online for Chrome, Firefox, Internet Explorer, Safari and Opera.
Also see:
- How to easily refresh your Firefox Quantum browser (TechRepublic)
- Opera now blocks attackers from hijacking your browser for mining Bitcoin (TechRepublic)
- How to deploy Firefox with locked about:config settings (TechRepublic)
- Mozilla’s Firefox 59 can stop websites from spying on you (TechRepublic)
- If browsers are the new operating systems, why don’t they have the security to match? (ZDNet)
- In security push, Chrome will soon mark every HTTP page as “non-secure” (ZDNet)
