How Stored Browser Data Presents Risk – And How to Secure It (pt. 1)

by Talon Research
February 21st, 2022

We’re all using a browser all the time, especially as our gateway to the internet. In this three-part series, we’ll enumerate the data types stored there, the associated risks, and how data-stealing from it can be prevented. Part one focuses on credentials, while remaining installments will look at other stored data types. 

Global computer users have made the browser the most commonly used app in the enterprise—not Asana, Salesforce, or even Workday (which are all accessible through the browser). As another example, Google Workspace—one of the most common business applications—is accessed primarily online through a browser. So, wouldn’t you want all browsers used across your enterprise to be secure? 

It’s therefore crucial to know what data is stored in the browser. The same-origin policy (SOP) dictates that values stored by one domain can’t be read by another. This makes it difficult for threat actors to edit or delete information without having direct browser access. But infostealer (malware that steals information) installed on a device can steal browser data. 

Before taking a deep dive into the saved items, it’s important to understand why a browser saves information. A few reasons are to: 

  • facilitate logging back in.  
  • guarantee persistence and ensure users can access their data contained within any web-connected browser. 
  • retain an application’s state (e.g., its active panel, chosen theme, input options). 
  • store data locally, perhaps for practicality, performance, privacy, or pre-upload reasons. 
  • create a progressive web app that works offline, with no server-side requirements other than the initial download and subsequent updates. 

Data types stored in the browser 

  • Credentials are username and password pairs for disparate sites (e.g., bank accounts, email services) that are stored for subsequent reuse. 
  • Cookies are text strings that websites save to the local disk. Serving a memory function, they recognize online behavior and remember actions. Cookies track visits to any given website, such as what’s in your cart at an eCommerce site, or the retention of browser login information. 
  • Session cookies track online activities. With them, users can be kept logged in to websites, or even to shop online – then close a session at any time with selected products remaining in their cart. 
  • Persistent cookies implement user preferences (e.g., language, internal bookmarks), such that they’re recalled the next time a user visits a site. These cookies remain intact even after the browser has been closed. For example, they can remember login details and passwords such that users don’t need to re-enter them every time they visit a corresponding site. They make for a more convenient and faster online experience. 
  • Third-party/tracking cookies collect various types of data, such as interests, location, age, and search trends. These data are then passed on or sold to marketers, thereby providing users with advertisements specific to their interests.  
  • Certain credit card information is saved to help a user conclude a purchase with no need to physically access a card.  
  • Autofill information stores alphanumeric characters a user enters in online forms to assist with filling similar fields in the future. Sometimes personal data such as a passport number is stored.  
  • A browser cache speeds up display time and saves bandwidth. It holds temporary files (e.g., web pages, images) that are downloaded behind the scenes while web pages are being fully rendered. And should the user revisit a given site, it’s faster to pull those saved items from the cache rather than download them again. 
  • Browsing history  
  • Websites visited – The browser stores a list of web addresses a user has visited along with titles and visitation time. It sometimes offers to restore the last tabs that were inadvertently closed, thereby shortening the time it takes to reopen them. This is also helpful if the user wants to later revisit a closed website, since they can usually find the link in their browser history. 
  • Download history – The browser records all files that have been downloaded. 
  • Searches history – Every search term a user has used is saved so they can easily reuse it. 

Stealing browser data 

MITRE reports that common infostealer malware can perform credential stealing from browsers. By this method adversaries acquire credentials by reading files specific to a targeted browser. 

Azorult malware is one example of a tool used in credential theft. In 2018, Palo Alto Networks researchers discovered that new variants were used as primary payloads in the FindMyName spam campaign. That malware stole credentials and user data from thirty-two browsers, including Chrome and Firefox. 

Here’s another: As reported by Check Point Software researchers, “Formbook is an [info stealer] that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C [command and control] orders. …[It] was reborn as XLoader, and the malware is now available for sale in the underground forum.”  

How common is infostealer use? Take a look at what’s happening on the dark web: in the following online ad, someone is selling a tool that “Steals Browser Passwords / Browser Cookies” from all well-known browsers. 

Source: RaidForums, Jan. 30, 2022

How do browsers protect saved passwords? 

Like every service, Google saves a user’s credentials in its database, hashed and salted (i.e., the addition of a unique, random character string known only to it). Google also offers to store credentials in two ways for other services on Chrome: 

  • After encryption, store browser passwords on the user’s system. This provides easy access to them, even in offline mode. Encryption protects the passwords should an attacker gain access to that system. 
  • Turn on sync to also save passwords in the cloud. This makes them available to every device used in connection with that Google account. 

Windows and macOS users are prompted for a password to access saved passwords. (Linux provides instant access without prompting for authentication. And the Firefox browser gives access to stored passwords without authentication, regardless of platform.) Regardless, this TechRepublic article shows two ways to bypass the password prompt on Windows and Mac systems.  

But some malware can grab the secret key and decrypt stored passwords. It doesn’t have to be sophisticated; here’s a recovery tool that reveals a user’s passwords without browser involvement. 

Source: NirSoft (nirsoft.net)

The Edge browser behaves in a similar manner to Chrome, since it’s also based on Chromium open source code. Because of the potential vulnerability, many researchers recommend never using a browser’s password manager

What does TalonWork do differently? 

Suppose you keep your house and car keys physically separate from one another. You’re about to enter your house, but inadvertently left its keys in your car. You pull out the remote to unlock the car, grab your house keys, then unlock the door to the house. 

Without thinking about it, in essence you used two keys to enter your home. Certainly, this might seem to provide an additional security factor, but it’s also more cumbersome. 

TalonWork functions in a similar way, but without introducing such complexity to users. While providing the desired additional security, they won’t sense any difference between it and the browser they’re already familiar with. Instead of using a local key to protect the passwords (which you learned are also accessible to attackers), TalonWork saves its access key remotely. Being unavailable to an attacker, they’re unable to perform any key decryption.  

Providing the only form of legitimacy, TalonWork makes it far more difficult for a bad actor to gain system access, yet the underlying process remains imperceptible to users. 

Summary 

Many important items are stored in the browser, with some being highly confidential. New infostealer malware is showing up every day, as well as new vulnerabilities. It’s crucial to protect the enterprise browser using the most advanced tool the market has to offer. This is why we created TalonWork; Visit the product page for more information about the additional security protection TalonWork provides.  

Be the first to know.