Google Chrome vulnerability leaves sensitive data at risk
Posted by: Jon Ben-Mayor on 10/11/2013 08:30 AM
[
Comments
]
Identity Finder has exposed a potentially serious flaw on Google Chrome; the flaw is in Chrome's caching mechanism and allows sensitive data to be stored unencrypted directly onto your hard drive, this is happening without your knowledge or consent.
Identity Finder researchers performed in-depth scans on several employee computers using the latest version of Sensitive Data Manager (SDM). During the scan, SDM pinpointed several Chrome SQLite and protocol buffers storing a range of information including names, email addresses, mailing addresses, phone numbers, bank account numbers, social security numbers and credit card numbers. SDM found similar data among all employees who consistently use Chrome as their primary browser.
They confirmed with each employee that sensitive data, such as social security and bank account numbers, were only entered on secure, reputable websites. Despite employees having entered this information on secure websites, Chrome saved copies of this data in the History Provider Cache. Other SQLite databases of interest include “Web Data” and “History.” On Windows machines, these files are located at %localappdata%GoogleChromeUser DataDefault.
Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system, or simple malware. There are dozens of well-known exploits to access payload data and locally stored files. To see whether Chrome data was at risk of theft, Identity Finder researchers created a small proof-of-concept exploit that would upload Chrome cache data to a third party site (See screenshot below). In this attack scenario, an attacker would only have to trick a user into permitting access to their file system. Attackers could acquire vast amounts of personal information without requiring users to enter anyting into a form, or system credentials.
CyberTruth contacted Google spokeswoman Leslie Miller for comment; Miller says she's looking into it.
"By default Google Chrome stores (web) form data, including data entered on secure websites, to automatically suggest for later use," says Feinman. "This stored data is unencrypted text and accessible if your computer or hard drive is stolen or is infected with malware."
The risks of identity theft to consumers are obvious. Businesses that must comply with the payment card industry's PCI-DSS security rules could fail audits if employees are in the practice of entering credit card data in Chrome.
An extra step employees and consumers can take is to regularly clear Chrome's cache. Until Google addresses this gaping security hole, Chrome users would be wise to learn how to clear Chrome's cache, and do it often.
Security researchers have long warned Google of the dangers presented by poorly-conceived security and privacy controls. "This is no longer a theoretical risk that can be dismissed," Feinman says. "The fact that these security risks have been hard-coded into Chrome for so long only adds to the urgency for browser makers to secure all stored browser data."
Identity Finder researchers performed in-depth scans on several employee computers using the latest version of Sensitive Data Manager (SDM). During the scan, SDM pinpointed several Chrome SQLite and protocol buffers storing a range of information including names, email addresses, mailing addresses, phone numbers, bank account numbers, social security numbers and credit card numbers. SDM found similar data among all employees who consistently use Chrome as their primary browser.They confirmed with each employee that sensitive data, such as social security and bank account numbers, were only entered on secure, reputable websites. Despite employees having entered this information on secure websites, Chrome saved copies of this data in the History Provider Cache. Other SQLite databases of interest include “Web Data” and “History.” On Windows machines, these files are located at %localappdata%GoogleChromeUser DataDefault.
Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system, or simple malware. There are dozens of well-known exploits to access payload data and locally stored files. To see whether Chrome data was at risk of theft, Identity Finder researchers created a small proof-of-concept exploit that would upload Chrome cache data to a third party site (See screenshot below). In this attack scenario, an attacker would only have to trick a user into permitting access to their file system. Attackers could acquire vast amounts of personal information without requiring users to enter anyting into a form, or system credentials.
CyberTruth contacted Google spokeswoman Leslie Miller for comment; Miller says she's looking into it.
"By default Google Chrome stores (web) form data, including data entered on secure websites, to automatically suggest for later use," says Feinman. "This stored data is unencrypted text and accessible if your computer or hard drive is stolen or is infected with malware."
The risks of identity theft to consumers are obvious. Businesses that must comply with the payment card industry's PCI-DSS security rules could fail audits if employees are in the practice of entering credit card data in Chrome.
An extra step employees and consumers can take is to regularly clear Chrome's cache. Until Google addresses this gaping security hole, Chrome users would be wise to learn how to clear Chrome's cache, and do it often.
Security researchers have long warned Google of the dangers presented by poorly-conceived security and privacy controls. "This is no longer a theoretical risk that can be dismissed," Feinman says. "The fact that these security risks have been hard-coded into Chrome for so long only adds to the urgency for browser makers to secure all stored browser data."
Comments
