Google Chrome saves sensitive data entered on https websites in plaintext
Back in Summer 2013 Google was criticized for storing user login information -- username and password -- in plaintext in the web browser without any sort of protection. For some, this was a critical security risk that could easily have been avoided, for instance by implementing a master password protecting the data.
Others -- and Google -- pointed out that local access was required to access the data, and if local access was granted, the computer was compromised anyway opening other attack vectors as well.
A few days ago, security research company Identity Finder, discovered another -- related -- issue in Google Chrome. According to the company's findings, Chrome stores sensitive information, entered on https websites and services, in plaintext in the browser cache.
Note: While many believe that browser's do not cache https pages and data because of the secure nature of the connection, it needs to be noted that https contents may be cached. This depends solely on a site's or server's response headers (that are transferred to the web browser). If the caching headers allow the caching of HTTPS contents, web browsers will do so.
Chrome and sensitive data
Identity Finder discovered that Chrome was storing a range of sensitive information in its cache including bank account numbers, credit card numbers, social security numbers, phone numbers, mailing addresses, emails and more.
The company confirmed that these information were entered on secure websites, and could easily be extracted from the cache with search programs that scan any type of file for plaintext data.
The data is not protected in the cache, which means that anyone with access to it can extract the information. This does not necessarily mean local access, as malicious software running on a user's computer, and even social engineering, may yield the same results.
Handing over the computer to a computer repair shop, sending it in to the manufacturer, or selling it on eBay or Craigslist may provide third parties with access to sensitive information stored by the browser.
Protection
How can you protect your data against this? Google wants you to use full disk encryption on your computer. While that takes care of the local access issue, it won't do a thing against malware attacks or social engineering.
It is like saying that website operators may save passwords in plaintext in the database, as the battle is lost anyway if someone gains access to the server locally or remotely.
In regards to Chrome, the only option that you have is to clear the cache, autofill form data and browsing history regularly and preferably right after you have entered sensitive information in the browser.
You cannot automate the process using Chrome alone, but need a third party tool or extension to clear the data when you close the browser automatically.
Other browsers
Identity Finder only analyzed the cache of Google Chrome and if you are not using the browser, you are probably wondering if your browser stores sensitive information in plaintext as well.
Firefox, almighty when it comes to customizing the browser, lets you disable SSL caching in the advanced configuration.
- Type about:config in the address bar and hit enter.
- Confirm you will be careful if this is your first visit to the page.
- Search for browser.cache.disk_cache_ssl
- Set the preference to false with a double-click on its name to disable SSL caching.
- Repeat the process if you want to enable it again.
Firefox will use the computer's memory to cache files, which means that the information are automatically deleted when Firefox closes, and never recorded to disk.
If you do not want that either, set browser.cache.memory.enable to false as well.
No comments:
Post a Comment