The secrets web browsers hold about users – what's the risk?

The best web browser

Research from Exabeam reveals how a simple malware attack could expose the personal data stored in a user’s web browser – including their browsing habits, online purchases and banking information – to cyber criminals. 

There’s a wealth of information stored locally on a user’s web browser that’s ripe for the picking. That’s the finding of research undertaken by Exabeam which set out to discover how much personal information is stored deep within your web browser, and how easy it would be for enterprising cyber criminals to exploit this data. 

The findings reveal just how much sensitive information is there for the taking. Enough for hackers to build up an extensive ‘web dossier’ on you that could then be used to predict your future behaviours, simply by using freely available malware to access the detailed artifacts stored in your computer’s web browser. 

Indeed, it turns out that criminals can discover all sorts of details about you. Everything from your current location, your typical daily routine and what you like to buy when you shop online, down to your hobbies and interests, who you bank with and even your passwords. In some instances, it’s even possible to recover bank account details and credit card numbers. 

The research findings make for uncomfortable reading and highlight how we should all take appropriate precautions to reduce our digital footprint when browsing online. 

What browsers store and why

Modern browsers are designed to give users a customizable experience by tracking activity and collecting information that can then be used to do things like automatically entering passwords, phone numbers and other information. 

Websites use code known as cookies to recognize users and make their experience better. For example, there’s no need to re-enter your login credentials every time you return to a website if you’ve checked the ‘Remember Me’ or ‘Keep Me Logged In’ option boxes on login pages. 

Browsers track plenty of other information about your activities, including the sites and pages you’ve visited right down to details like URL, page title and timestamp. 

Similarly, all today’s browsers have some form of password manager that stores login information for various sites in a single spot. Then there’s that handy little timesaving autofill option that completes commonly-entered information automatically for you. 

While all this creates a richer and more convenient browsing experience, should someone be able extract this data they could build a detailed web dossier on you. 

Once armed with these insights about your personal habits and interests, the apps you commonly use – including sensitive work apps – they may even be able to guess your passwords or craft highly believable spear-phishing attacks. 

Harvesting the data

Exabeam’s researchers tested 1000 of the most popular websites, including Facebook, Google Mail, Amazon, Instagram and PayPal, as well as ecommerce sites like Alibaba and Walmart and news sites like CNN and USA Today, using the popular Firefox and Chrome web browsers. 

Next, the researchers visited sites, created user accounts on popular web apps, and performed basic tasks to discover what actions could be discovered on local browser files. 

The research found that many of the websites tested stored users’ personal information locally, using HTTP cookies and other formats, in the computer’s web browser. 

This often included sensitive information such as search terms, downloaded files and location data, account usernames and associated email addresses as well as the titles of viewed emails and documents. 

By reviewing saved log-in information, the researchers were also able to extract saved passwords for all the websites visited, thanks to the web browser’s inbuilt default password manager.

How attackers gain access

Attacking data stored locally in web browsers turns out to be straightforward enough, thanks to the wealth of malware that’s been around for years like the Cerber, Kriptovor and CryptXXX ransomware families. 

Indeed, the ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games is reported to have taken advantage of user credentials saved in the browser.   

Similarly, free tools like Nirsoft’s WebBrowswerPassView, originally designed to help users recover their own passwords from browsers, can also be used by attackers to plunder personal and sensitive data. 

Internet users also need to be wary when working on a shared computer or in a shared workspace. It takes just moments to insert a USB drive running specialised software into an unlocked machine or a quick click of a web link to insert malware. 

Taking steps to protect yourself 

Ensuring you have end-point protection in place in the form of antivirus software is the most important step you should take, as this should prevent most of the malware that’s targeted at harvesting your information to create a profile. 

Taking a tiered approach to your Internet browsing habits is also recommended, ensuring you adopt additional precautions when undertaking sensitive activities like online banking. However, these steps come with a trade-off in relation to your browsing experience: 

  • Using ‘incognito mode’ in your browser will ensure no local artifacts from your session are saved. But leaving no digital footprint means you’ll need to type in the URLs of sites you frequently visit as well as credentials and searches. 
  • Disabling autofill and not using ‘Remember my password’ features will ensure this history is not saved locally for potential exploitation. 
  • Regularly clearing all cookies and local browsing information will lessen the amount of data available to attackers but means you may have to search again for things you’ve looked at in the past and could encounter problems with websites, especially those that require a Login. 

Many of today’s users are unaware of just how easy it is for cybercriminals to gain access to their browser and start piecing together a web dossier of harvested data that could potentially be exploited in several ways. 

Taking steps to ensure your personal web dossier data is shielded from prying eyes may mean balancing convenience on the one hand and security on the other, but it’s a small price to pay to ensure your privacy is preserved.

  • Ryan Benson is a Senior Threat Researcher at Exabeam

Ryan Benson is a Security Engineer at Google and previously held DFIR roles at Exabeam, Stroz Friedberg, and Mandiant. He has experience investigating insider threats, responding to intrusions, and performing digital forensics in support of legal proceedings. He is the author of Hindsight, an open source web browser forensics tool, and researches and blogs about DFIR topics with an emphasis on browser forensics.