Identity Finder recently conducted a deep scan of its employee computers utilizing Google Chrome and found unencrypted, plain-text copies of all keystrokes on each employee's hard drive, including social security numbers, home addresses, email addresses, credit card numbers and bank card numbers. This was true even if that information was input on a “secure” website.
“With most sensitive data stored by Chrome, such as passwords, the only way for malware or a hacker to gain access is if a user is logged in. However, in this case some information is stored in clear text and is accessible whether or not the user is logged in,” explained Todd Feinman, CEO at Identity Finder, in a statement. “By default, Google Chrome stores form data, including data entered on secure websites, to automatically suggest for later use. “
Clearly the security implications of this are prodigious: it can be read by anyone with physical access to the hard drive, access to the file system or via simple malware. Also, any business that must comply with PCI-DSS is at increased risk of failed audits and increased costs because employees entering credit card data in Chrome are inadvertently expanding their cardholder data environment.
Perhaps most worryingly, an attacker can simply deploy a backdoor to access and easily upload the unprotected data without the user’s knowledge or consent; there are dozens of well-known exploits to access payload data and locally stored files.
Identity Finder researchers demonstrated a proof-of-concept exploit that would allow malicious code to upload Chrome cache data to a third-party site. In the attack scenario, a criminal would only have to trick users into allowing the exploit access to their file system. The exploit does not require users to enter sensitive information, their system credentials or to decrypt any stored data.
“A criminal would only have to trick a user to allowing ‘heightened access,’ and all cache files would be stolen without any additional warning,” Identity Finder explained. “In short, private information is being served on a silver platter for any criminal industrious enough to gain access.”
The company said that it has notified Google of the risk. So far, Google has made no public statement on the issue.
Chrome is the world's third most popular web browser with a 16% market share; Firefox has a 19% share and Internet Explorer holds a 58% share, according to Net Applications. But the issue may not be limited to Chrome.
“As of now, Chrome is the only browser we have analyzed in-depth,” it explained in a blog. “We may analyze other browsers in the near future. But the fact that these risks have been around since version 2.0 of Chrome, or that similar vulnerabilities may be shared by other browsers, only adds to the urgency for browser makers to secure all stored browser data.”
Employees and consumers can protect themselves by following good sensitive data management practices. Anytime a credit card number or other PII is entered into a form, simply clear saved Autofill form data, empty the cache and use the “clear browsing history from the past hour” function and restart Chrome, and the information will be erased. Alternatively, disabling Autofill or using Incognito mode will protect form data, Identity Finder noted.