Criminals Can Build A Web Profile From Your Browser, Beware!
This could come as a shocker to many internet users: cybercriminals can build a web dossier about you based on the information that they gather out of the routine web browsing that you do!
California-based cyber security firm Exabeam has published a blog on this very interesting topic. The blog post, titled ‘How Criminals Can Build a “Web Dossier” from Your Browser’, discusses how criminals can create a web dossier based on the personal information that they collect from the browser that you use; the info would include your location, work hours, bank details, work hour details etc. They could even lay hands on your passwords.
The Exabeam blog says- “Web browsers store an incredible amount of sensitive information about you. Website developers have a variety of ways of using modern browsers to customize the experience for users. Advertisers also use these features to maximize the impact of ads shown on sites. The result is that a lot of information about you is stored deep in your browser, and it can potentially be exploited by cyber criminals in a number of ways.”
Web developers make use of the modern browsers to enhance user experience. Similarly, advertisers use web browsers to market ads. For this web browsers would collect and store lots of personal information pertaining to the user(s) so that developers and advertisers can make use of them for their purposes. Criminals can very easily lay hands on the very same personal information and use the same to build web dossiers of the users.
Exabeam researchers, as part of the first phase of their research, visited some of the most popular websites, using the Alexa Top 1000 list as our guide, and using the Firefox browser. They could find 56 websites (among the ones they visited) storing some level of geolocation information about the user on their local system; they could also find 57 websites recording the user’s IP address.
The second phase of the Exabeam research had the researchers using Google Chrome to find out what all information was being stored in the local browser files. The Exabeam blog says- “For the second phase, we were able to extract a number of potentially sensitive items from popular services, including account usernames, associated email addresses, search terms, titles of viewed emails and documents, and downloaded files.”
Another notable thing that the researchers found was that when users would use built-in password managers to save login credentials on browsers, they could extract the saved credentials on all the websites that they tested.
A cybercriminal can use a malware to sneak into a system and then steal all the personal information that’s stored in the browser(s). It becomes easier to harvest browser data from shared computers, using a malware or a USB drive.
It’s always good not to store login credentials in the password manager. Similarly, it’s always good to have proper endpoint protection- a trusted antivirus software installed on your system. Similarly going for the incognito mode, disabling HTTP cookies, disabling autofill features, regular clearing of browsing artifacts etc would be advisable as steps you could take to prevent this. You could also use a third-party password manager and also disable the autofill features.
The Exabeam blog says- “Browsers store many artifacts to make browsing and buying on the web easier, but collectively, this information can be mined, aggregated and used to create a profile many users may not realize. Ensuring endpoint protection and not leaving machines unlocked in public spaces are essential. Users should also consider changing browser settings to further protect their privacy.”
Julia Sowells410 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.