Identity Finder Discovers Google Chrome Users Are Vulnerable to Sensitive Data Theft

Last week, Identity Finder security researchers performed in-depth scans on several employee computers using the latest version of Sensitive Data Manager (SDM). During the scan, SDM pinpointed several Chrome SQLite and protocol buffers storing a range of information including names, email addresses, mailing addresses, phone numbers, bank account numbers, social security numbers and credit card numbers.  SDM found similar data among all employees who consistently use Chrome as their primary browser.

Chrome's History Provider Cache contained SSNs, bank account information, addresses, email, and a bunch of other stuff you'd want to keep to yourself.

Chrome’s History Provider Cache contained SSNs, bank account information, addresses, email, and a bunch of other stuff you’d want to keep to yourself.

We confirmed with each employee that sensitive data, such as social security and bank account numbers, were only entered on secure, reputable websites. Despite employees having entered this information on secure websites, Chrome saved copies of this data in the History Provider Cache. Other SQLite databases of interest include “Web Data” and “History.”  On Windows machines, these files are located at %localappdata%\Google\Chrome\User Data\Default\.

Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system, or simple malware. There are dozens of well-known exploits to access payload data and locally stored files. To see whether Chrome data was at risk of theft, Identity Finder researchers created a small proof-of-concept exploit that would upload Chrome cache data to a third party site (See screenshot below). In this attack scenario, an attacker would only have to trick a user into permitting access to their file system. Attackers could acquire vast amounts of personal information without requiring users to enter anyting into a form, or system credentials.

In addition, someone with access to a hard drive, for example after a computer is sold on Craigslist, would have access to all of this information, even if it is deleted.

In this scenario, an attacker creates a fake, trustworthy-looking website, and convinces a user to allow heightened access. As soon as the user clicks “Yes,” all of the data is transmitted to a third party.

Strictly speaking, these Chrome vulnerabilities aren’t “new” or completely unknown to technologists. However, Identity Finder is the first security company to demonstrate real-world, non-theoretical risks to sensitive information stored by the Chrome browser. By connecting the dots, we hope to educate all Chrome users that Chrome stores sensitive data unencrypted, alert users of the risks of stored Chrome data, and encourage individuals and enterprises to engage in sensitive data management best practices.


Chrome Sensitive Data Risks

Infographic. Click to enlarge.

We notified Google of the risk, but have not yet heard back.

As of now, Chrome is the only browser we have analyzed in-depth. We may analyze other browsers in the near future. But the fact that these risks have been around since version 2.0 of Chrome, or that similar vulnerabilities may be shared by other browsers, only adds to the urgency for browser makers to secure all stored browser data.

We’ve taken the liberty of compiling a quick infographic illustrating one potential attack vector, and why it’s vital for individuals and enterprises to engage in sensitive data management practices.

Protecting Yourself

Employees, employers, and consumers can easily protect themselves by following good sensitive data management practices. Anytime you enter a credit card number or other PII into a form, be sure to “Clear saved Autofill form data”, “Empty the cache”, and “Clear browsing history” from the past hour and the information you typed will be erased. Alternatively, disabling Autofill or using Incognito mode will protect form data.

Open Chrome, click “Customize and control Google Chrome”, then Settings, then scroll down to “Show advanced settings” then click “Clear browsing data…”. Once the Clear browsing data dialog popup appears, enable the checkmark for “Clear saved Autofill form data”, “Empty the cache”, and “Clear browsing history”. Configure the time setting to include when you typed sensitive data such as “the past hour” then click the button on bottom right: “Clear browsing data”. Finally, restart Google Chrome: