A new report from Exabeam has detailed just how easy it is for cybercriminals to hack into your life.
It’s no secret that web browsers store a substantial amount of sensitive information about their users, with website developers using a variety of ways to customise the experience. Advertisers also use these features to maximise the impact of ads shown on sites.
The result is that a lot of information about you is stored deep within your browser, and Exabeam senior threat researcher Ryan Benson says it then be potentially exploited by hackers in a number of ways. All kinds of personal information, from your location, work hours, habits, banks, applications, and even passwords are there for the taking.
There are several ways that browsers store information, including visited sites, HTTP cookies, local storage, saved login info and autofill.
To create its study, Exabeam visited and conducted tests on the most popular sites on the Internet, using the Alexa Top 1000 list as their guide.
In the first phase of their research, Exabeam found 56 websites stored some level of geolocation information about the user on their local system, while 57 recorded a user’s IP address
“For the second phase, we were able to extract a number of potentially sensitive items from popular services, including account usernames, associated email addresses, search terms, titles of viewed emails and documents, and downloaded files. Table 2 below shows some of the more notable examples,” says Benson.
“In addition to these site actions, if a user chose to have the browser save their password for them using the built in password managers, we were able to extract those saved usernames and passwords for all sites tested.”
So how can attackers gain access to this information?
Benson says it is actually quite straightforward. Malware to harvest information stored in a browser is easily accessible and variants have been around for years, including the Cerber, Kriptovor, and CryptXXX ransomware families.
“The free NirSoft tool WebBrowserPassView dumps saved passwords from Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. While ostensibly designed to help users recover their own passwords, it can be put to nefarious use. The recent ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games reportedly took advantage of user credentials saved in the browser,” says Benson.
“Another concern is anyone working on a shared computer or in a shared workspace. If a machine is unlocked, extracting browser data for analysis could be done in seconds with the insertion of a USB drive running specialised software or click of a web link to insert malware. While it is true that browsers encrypt passwords, these are decrypted when used by the browser, and can be accessed by any process.”
And then with this information (what Exabeam has labelled a ‘web dossier’), how can cybercriminals exploit it?
“An attacker could compile a list of applications you commonly log into from your URL history, including work applications and personal finance sites. Criminals can learn who in a company has access to the financial or payroll application, for example, and compile a list of usernames to use to break in,” says Benson.
“Knowing what applications are in use at a company can help an attacker craft more convincing phishing emails to try and trick users into exposing their passwords, which the attacker could then harvest.”
Benson says it would also be simple to learn the name of your bank, online broker, or retirement fund manager.
“We were able to extract different levels of geolocation indicators, including IP address, from a wide array of popular websites, including nba.com and cbssports.com. News sites, including cbsnews.com, cnn.com, usatoday.com, foxnews.com, telegraph.co.uk, nypost.com, and nytimes.com, also store information about a user’s location on that user’s local machine,” says Benson.
“Extracting historical location information from a web browser can paint a picture of a user’s habits and past activities. By extracting similar types of information from a broad range of websites, investigators can get multiple data points to help corroborate different geolocation data points. So an attacker can determine when you are at work and when you are at home, for example.”
“Of course, with access to your URL history, an attacker can learn about your personal interests quite easily. There are two ways an attacker could manipulate this information. First, it is well known that attackers use hobbies to guess passwords,” says Benson.
“Second, if your hobbies or interests are controversial, unusual or even illegal, you may fall victim to online blackmail. And lastly, with the unfortunate rise of cyberbullying, especially among teens, a web dossier could be used to expose or embarrass the victim.”
“Modern browsers offer the option of a consistent experience to users, no matter what device they are using. Because of this, it can be possible to extract information about what other devices a user owns by examining browser history,” says Benson
“Some browsers explicitly sync records from multiple devices to each other, and some make use of “casting” or other screen sharing methods to communicate with other devices. By looking at this information, it may be possible to find a device that a user is trying to keep hidden, or to connect a personal machine to a work machine.”
And so in terms of protection, Benson says ensuring endpoint protection and not leaving machines unlocked in public spaces are both essential – users should also consider changing browser settings to further protect their privacy.