How your personal ‘web dossier’ can end up in the wrong hands -TEISS: Cracking Cyber Security

Chrome web browser

Information Security / How your personal ‘web dossier’ can end up in the wrong hands

How your personal ‘web dossier’ can end up in the wrong hands

All kinds of personal information, from your location, work hours, habits, banks, applications, and even passwords are there for the taking. Recent research from Exabeam shows criminals can exploit a huge amount of personal information stored in web browsers, including Google Chrome and Firefox, with a simple malware attack.

Website developers have a variety of ways of using modern browsers to customise their users’ experience, and advertisers in particular harness this ability to maximise their impact. This undoubtedly creates a richer, more personalised browsing experience, but the vast wealth of personal information stored in web browsers presents a huge risk.

Your personal web dossier

The danger lies in the extensive ‘web dossier’ that a hacker can build on an individual, drawn from the detailed artefacts stored in their web browser.  This data can be reviewed, combined and pieced together to paint a picture of a person’s habits and past activities.  With enough data, this can also provide a foundation to reliably predict a person’s future actions.

For example, criminals can determine when you are at work and when you are at home. With access to your browser history, an attacker can learn about your personal interests quite easily.

They can manipulate this information, using your hobbies and interests to guess your passwords, or in extreme cases, to blackmail you. It would also be simple for an attacker to learn the name of your bank, and in some instances, to recover bank account numbers used to transfer funds to other banks.

Significantly, it is not difficult for a person with malign intent to harvest this information from a web browser. Simple, freely available malware will do the trick. To understand how this happens, as well as what individuals can do to stay secure, it’s useful to look at Exabeam’s research in more detail.

Also of interest: why is China altering its vulnerability data?

What information is stored in web browsers?

Web browsers store several types of data. Exabeam looked at five specific data types to construct a web dossier:

Visited Sites: information about web pages that users browse, including information like URL, page title, and timestamp.

HTTP Cookies: small pieces of data sent from a website and stored on a user's computer while the user is browsing.

LocalStorage: introduced with HTML5, these are an upgraded form of cookie that allow more data stored locally.

Saved login information: modern browsers all have some type of password manager where login information for various sites is stored in a single place. Cookies are also used for authentication, often when users tick the ‘Remember Me’ or ‘Keep Me Logged In’ boxes on login pages.

Autofill: an option found in web browsers allowing commonly-entered information to be filed automatically.

Web browsers also temporarily store parts of web pages in the browser cache. While not part of this study, the cache can contain images, JavaScript code, HTML files, and more. Cached items often expire and are deleted relatively quickly, but are rich sources of information while they last.

The research tested 1000 of the most popular websites, including Facebook, Google Mail, Amazon, Instagram and Paypal.  All of them store users’ personal information locally, in the computer’s web browser, in the formats listed above.  This is sensitive information, including account usernames, associated email addresses, search terms, titles of viewed emails and documents, downloaded files and location data.

By reviewing saved login information, Exabeam was also able to extract saved passwords for all of the websites tested.  It’s important to note that this is not a weakness of the websites themselves, but the web browser’s default password manager.

The web dossier harvest

The research used OpenWPM, a privacy measurement framework built on Firefox, with a few modifications. Using the OpenWPM framework, a Firefox browser visited the Alexa Top 1000, navigating to three links on each of the websites, using time delays to simulate a user browsing. This initial crawl did not log into any of the sites, so no information about user accounts was expected.

Instead, the focus of the analysis of the collected data was to search for identifiers of the device's and user's physical location. This type of geolocation is used by site owners to customise the experience, load balance traffic, and to serve specific ads to different regions.

The second phase tested user accounts and actions on popular web apps – to see what evidence could be found in the local browser files – creating accounts on these sites to log in, perform a relevant action, and see what traces could be found. This phase used Google’s Chrome web browser – currently the most widely used browser in the world – to manually perform all the actions. This generated artifacts in the same way real world users do.

Hacking the harvest

Creating malware to harvest information stored in a browser is quite straightforward, and variants have been around for years, including the Cerber, Kriptovor, and CryptXXX ransomware families.

The free NirSoft tool WebBrowserPassView dumps saved passwords from Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. While ostensibly designed to help users recover their own passwords, it can be put to nefarious use.  The recent ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games reportedly took advantage of user credentials saved in the browser.

Another concern is anyone working on a shared computer or in a shared workspace. If a machine is unlocked, extracting browser data for analysis could be done in seconds with the insertion of a USB drive running specialised software or click of a web link to insert malware.

Many internet users may presume their passwords are stored safely by their browser. While it is true that browsers encrypt passwords, these are decrypted when used by the browser, and can be accessed by any process.

Browsers often use host operating system APIs to protect saved passwords. Access to these are not exclusive to the browser, which is what the NirSoft tool and various malware exploits.

Also of interest: 12 IoT controls for auditing your devices

How to protect yourself

Given that the most serious threat comes from criminals accessing a browser data via malware, the most important thing people can do is enusre they are running anti-virus software. This should stop most of the malware aimed at harvesting information to build a web dossier.

For those still concerned about someone accessing their machine, there are a number of steps that offer additional protection, but these all come at a cost to web browsing experience.

Users can consider changing browser settings to further protect their privacy, but these all present some inconvenience. For example, when using Google Chrome’s Incognito Mode, very little information is stored locally. This means less information for hackers to exploit, but it also means no customised sites, no saved login details and very few relevant browsing suggestions.

By disabling autofill and ‘remember my password’ features, users can ensure this information is not saved locally for attackers to collect. Providing users are not tempted into creating less secure passwords, this provides an effective line of defence.

Going further, users can disable all HTTP Cookies. This leaves less to exploit, but many websites will have issues, especially if they require a log in. Disabling 3rd party HTTP Cookies can strike a better balance, but will still leave lots of valuable information in the browser.

A wake up call

This is a global issue; anyone who uses the most popular web browsers is at risk.  The web dossier building blocks are ready to be pieced together, and whilst users can take several steps to significantly minimise the risk, no solution is full-proof.

This research highlights something many users will already have suspected, but it should act as a wake up call for those concerned with personal information security. After all, who wants their web dossier in the hands of the wrong person?

Also of interest: phishing at the winter olympics?