Chrome's effort at efficiency may leave users vulnerable
Google Chrome users should take extra precautions when using the browser to type personal data, such as credit card numbers, into website forms, experts say.
Additional steps are necessary because Chrome will store the data in plain text in its web history log on the hard drive. The browser retrieves the information as needed to avoid having the user retype the same data into other forms.
Researchers at Identity Finder created proof-of-concept malware that could take the data and send it to a third party. The security vendor claims Google could make the process more difficult for hackers by having the browser encrypt the data before it is stored.
Chrome lets the operating system encrypt the data, if that's how the user has the OS configured. With Windows, Microsoft offers full disk encryption through its BitLocker feature.
"It would be harder to get at the data (if encrypted)," said Aaron Titus, chief privacy officer for Identity Finder.
Google said the vendor is making a lot out of nothing because Chrome gives the user full control over how it stores data.
"Chrome asks for permission before storing sensitive information like credit card details, and you don't have to save anything if you don't want to," the company said in a statement sent to CSOonline. "Furthermore, data stored locally by Chrome will be encrypted if supported by the underlying operating system."
Security assessment is ongoing
Identity Finder specializes in software that finds sensitive information on PCs, so it's not surprising that it recommends better data management. For example, browser makers could detect when someone is typing in a credit card number and not store the data.
"Chrome, and probably browsers and other programs in general, need to deploy sensitive data management practices," Titus said.
Other experts did not consider Chrome's handling of personal data a serious problem.
"I believe it makes sense to store the web history information in an encrypted format to avoid this information leakage problem, but it is not a critical issue," said Wolfgang Kandek, chief technology officer for Qualys.
Malware written to steal information from a PC would go after much more than a browser history log, Kandek said. For example, the malicious software would likely intercept keystrokes to steal credentials used on websites and grab data from unlocked password stores.
Where extra precautions need to be taken is when a person sells or gives away an older PC. "If their hard drive is sold on something like eBay and was not properly wiped they are clearly at risk," said Paul Henry, computer forensics specialist for Lumension.
To avoid having sensitive data accessed, sellers need to reformat their hard drives before handing the system to a buyer, Kandek said.
But if the computer user is savvy enough not to save credentials or to regularly clear the browser cache, then the storing of history logs becomes a "non-issue," Henry said.