A study from Exabeam shows that web browsers have become an enormous risk for businesses. Exabeam security experts have used relatively simple malware tools to get access to a large amount of personally identifiable data in local web browsers – including Google Chrome and Firefox.
Nowadays, browsers store a large amount of user data. With usernames, passwords, credit card information and the history of websites visited, criminals can do a lot of damage. Until now, users and companies thought they were safe: Data in the browser is well protected and encrypted. But that's not true, as you can read below.
Hackers create web dossiers
When a user accesses the Internet, their data is used by website developers and advertisers to customize the 'surfing experience', track locations and maximize the impact of advertising. This information is often stored in the web browser. This is not just a big risk for consumers. Especially companies are exposed to risks because their employees access the Internet as users from company computers.
Under certain circumstances, company data may be used in the browser as part of employee tasks. This entails the risk that corporate customer data may be tapped and in some cases bank account numbers may be restored from such data.
In addition, criminals can determine, for example, when an employee is usually at work and when he or she is at home. Access to the employee's browser history can also show attackers their personal interests or private details. Information such as hobbies or child names can then be used as clues to guess passwords. In extreme cases, an attacker can also use sensitive personal information to blackmail an employee.
To prepare for complex attacks, hackers go one step further: to gain an accurate picture of an employee's habits and activities, hackers create web dossiers from a person's collected browser data. And getting access to this browser data is not as difficult as you might think.
Spying with malware in local browser files
Cybercriminals may use easy-to-use and readily available malware to access the data stored in web browsers. This includes visited web pages including URL, page title and timestamp, HTTP cookies, LocalStorage introduced with HTML5, password manager data, browser cache and data that is automatically filled in.
Exabytes did run a test
In a test of a thousand of the most popular sites, including Facebook, Gmail, Amazon, Instagram and PayPal, Exabeam security specialists found personal data of users. These were stored locally and in the web browser of the computer in the above formats. Potentially, this also applies to sensitive corporate information, including account usernames, associated email addresses, search terms, titles of displayed emails and documents, and downloaded files and location data.
By checking the stored credentials, Exabeam was also able to extract stored passwords for all tested websites. This is not a weakness of the websites themselves, but the default password manager of web browsers.
Exabeam used OpenWPM, a Firefox-based framework that focuses on analyzing device and user geolocalization. OpenWPM can be used to measure privacy. Exabeam has modfied the OpenWPM copy to obtain the data mentioned above.
User accounts and browser information
In addition, security researchers have tested user accounts and actions, such as creating accounts, logging in, and performing relevant actions. The goal was to determine what information can be found in the local browser files.
How do I get the information?
Developing malware to collect this information is very easy. Variants, including the Ransomware families Cerber, Kriptovor and CryptXXX, have been around for years. The free NirSoft tool WebBrowserPassView outputs stored passwords from web browsers – even though it is supposed to help users recover their own passwords..
Note: The NirSoft-Tool WebBrowserPassView is already blocked by Defender or the Security Essentials as a hack tool during download under Windows.
Risk: Shared computers
For many companies, there is an additional security risk: shared computers and workspaces. When a computer is unlocked, browser data can be extracted for analysis in seconds and malware can be inserted via either a USB port or a malicious link..
How organizations can protect their employees
There are a number of measures in place to protect employees and businesses from the threat of web browser information. Because the biggest threat comes from criminals who access browser data via malware, the most important thing is to ensure that antivirus software is running on corporate devices. This should stop most of the malware that is targeting web browser data..
Many users assume that passwords are securely stored in the browser. Browsers do encrypt the stored passwords. But the passwords are decrypted when they are used and can be read by any process. Browsers often use host operating system APIs to protect stored passwords, and access to them is not exclusive to the browser. The NirSoft tool and various malware programs take advantage of this fact.
Using a third-party password manager can provide an additional layer of security. Such a password manager is usually more difficult for attackers to access than the integrated browser password managers. But although these third-party password managers often offer advanced features that promote better password practice for the user, these applications may also have vulnerabilities.
For cloud-based password managers, employees send password information from the enterprise to a third party, raising additional security and confidentiality concerns.
Adapt browser settings and train employees
A number of measures can provide additional protection, but also affect surfing the net. Companies can change their employees' browser settings to better protect their privacy:
- For example, if Google Chrome's Incognito mode is used, very little information is stored locally. This means less information for hackers, but also less tailored websites and very few relevant browsing suggestions.
- Disabling HTTP cookies also leaves less room for data abuse by attackers, but causes problems on many websites, especially when they require sign-in.
- An effective method is to encourage employees to regularly delete either all or selected browser histories. While this means that less information is available to the browser to provide web suggestions and retrieve previously visited web pages, it also significantly reduces the amount of data available to attackers.
Much of the information collected by the browser is intended to facilitate web browsing, but this data can be aggregated and misused by criminals to profile employees and the whole company.
While organizations can take a variety of measures to mitigate risk, none of these solutions offer absolute security. That's why it's important that endpoint protection is assured and that devices are not unlocked in public places.
Another key factor in the fight against attackers is awareness and education: protection by vigilant employees is one of the cornerstones of security for any company.
Exabeam offers security intelligence and management solutions that help companies protect their information. More information is available at www.exabeam.com.
Cookies helps to fund this blog: Cookie settings
It is funny that I keep hearing about the same security problem for the past 15 years or so. I have found a solution. Now, when I hear of this it seems to be more about insane people unwilling to accept change; or find solution.
Michael, what's the solution?