Modern web browsers are designed to make user experiences customised, intuitive and simple. Developers have been improving their systems by utilising the data users create when they surf the web, and advancements in Big Data mean they have access to more data than ever before. This allows them to track a range of information on users. Using this information to sell targeted advertising has made data collection profitable.
Research from Exabeam shows the extent of data collected on web browser users. Exabeam tested what data is left in Firefox after browsing the Alexa top 1000 websites, as well as what user accounts and actions from a subset of these domains are stored in Chrome.
The results show that the pursuit of optimised browsing produces a wealth of personal information. Significantly, this information – normally accessible only to your bank – is freely available on your browser to anyone with the right tools and knowledge to access it.
Exabeam looked at five data types that are commonly used by browsers to store information. These include:
- Autofill: the data used to automatically fill out information such as names, phone numbers and addresses
- Visited Sites: the URLs, web page titles, timestamps and other information on all of the web sites users visit
- Login Information: whenever the ‘remember me’ option is used, usernames and passwords are stored in browsers. This can be stored through password managers or even as cookies
- HTTP Cookies: generally small pieces of data a website wants stored on your browser for future browsing
- LocalStorage: an upgraded version of the cookie that can store more data locally. These were introduced in HTML5
Exabeam was able to extract saved passwords used on websites. This is not the fault of the websites visited, but rather of the default password managers employed by web browsers.
After reviewing all the extracted data, Exabeam showed it was possible to infer sensitive details about the user. Collating all the data reveals a potentially dangerous portrait of the user’s habits and activities.
There are various ways users could piece all the data together. A few quick examples of what Exabeam proved possible include:
- Account Discovery: you can compile a list of all the applications accessed by a user. This means work applications, personal finance sites, usernames and URL history
- Location History: Sports, News and other websites often track the location of users visiting their sites. Over time investigators can gather multiple data points to determine when you are at home vs when you are at work, or where else you go in your free time
- User Interests: with your URL and location history, identifying user interests is not difficult to discover. This can be particularly worrying for users with controversial, unusual or illegal interests
- Device Discovery: as browsers want to offer consistent experience to users across devices, they track what devices users access from their browsers. So whether you’re syncing records to another device or paring with a screen to share content, your browser stores what devices are involved
Cybercriminals are aware of how useful browser-stored data is and the tools to harvest it are freely accessible on the Internet. As seen with the recent cyber attack on the 2018 Winter Olympics, cybercriminals are already using browser data as part of their attack strategies. In this case, malware extracted saved passwords on endpoints’ browsers. This allowed the attackers to move further into the Olympic network.
There is no reason why cybercriminals couldn’t use these strategies on businesses. Criminals will be exploring all the options to exploit this data; after all, finding new vectors to launch attacks from is useful for increasing the odds of success.
There is also an internal risk to consider. An employee with malign intent could harvest the data on their colleagues or the business. This could reveal personal secrets for use in blackmailing or bullying, or for employees to uncover sensitive corporate knowledge by using the usernames and passwords of their superiors. A malicious insider could pick and choose IP to sell off to competitors.
Businesses should approach these threats in the same way as any other security risk. Train employees on the dangers of web browsing, and implement security policies to tackle the immediate issues.
The immediate threat comes from criminals, inside or out, that attempt to access browser data through malware. Aside from the obvious advice of use AV software, employees must be aware of phishing tactics and any other person accessing their machines.
To minimise the amount of data at risk, there are several actions businesses can take. It would be good practise for employees to use ‘incognito’ modes to stop any data being saved on the browser. This is not necessary for everyday use, but is a good measure to take if your employees are constantly working with sensitive data, such as HR.
Disabling cookies, ‘remember me’ functions and autofills can go a long way to reducing the amount of information available via browsers. This could inconvenience users accustomed to automated web browsing, but is a valid method of reducing risk in your business.
Anyone currently using popular consumer web browsers is at risk of having their, or their business’s, private details exposed. Cybercriminals will use any avenue available to access monetisable data, and businesses can’t afford to leave any holes in their armour. By being proactive, and maintaining a strong security posture, businesses can mitigate the web browser risk.