Experts recommend safeguards with Chrome personal data store

Google Chrome users should take extra precautions when using the browser to type personal data, such as credit card numbers, into website forms, experts say.

[Google gets kudos for tossing older Chrome plug-in API]

Additional steps are necessary because Chrome will store the data in plaintext in its web history log on the hard drive. The browser retrieves the information as needed to avoid having the user retype the same data into other forms.

Researchers at Identity Finder created proof-of-concept malware that could take the data and send it to a third party. The security vendor claims Google could make the process more difficult for hackers by having the browser encrypt the data before it is stored.

Chrome lets the operating system encrypt the data, if that's how the user has the OS configured. With Windows, Microsoft offers full disk encryption through its BitLocker feature.

"It would be harder to get at the data (if encrypted)," Aaron Titus, chief privacy officer for Identity Finder, said.

Google said the vendor's is making a lot out of nothing because Chrome gives the user full control over how it stores data.

"Chrome asks for permission before storing sensitive information like credit card details, and you dont have to save anything if you dont want to," the company said in a statement sent to CSOonline.

"Furthermore, data stored locally by Chrome will be encrypted if supported by the underlying operating system."

Identity Finder specializes in software that finds sensitive information on PCs, so it's not surprising that it recommends better data management. For example, browser makers could detect when someone is typing in a credit card number and not store the data.

"Chrome, and probably browsers and other programs in general, need to deploy sensitive data management practices," Titus said.

Other experts did not consider Chrome's handling of personal data a serious problem.

"I believe it makes sense to store the web history information in an encrypted format to avoid this information leakage problem, but it is not a critical issue," Wolfgang Kandek, chief technology officer for Qualys, said.

Malware written to steal information from a PC would go after much more than a browser history log, Kandek said. For example, the malicious software would likely intercept keystrokes to steal credentials used on websites and grab data from unlocked password stores.

[Security experts question if Google's Chrome Apps is worth the risk]

Where extra precautions need to be taken is when a person sells or gives away an older PC. "If their hard drive is sold on something like eBay and was not properly wiped they are clearly at risk," Paul Henry, computer forensics specialist for Lumension, said.

To avoid having sensitive data accessed, sellers need to reformat their hard drives before handing the system to a buyer, Kandek said.

But if the computer user is savvy enough not to save credentials or to regularly clear the browser cache, then the storing of history logs becomes a "non-issue," Henry said.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about eBayGoogleLumensionMicrosoftQualysTitus

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place