Google Chrome saves sensitive data entered on https websites in plaintext
Back in Summer 2013 Google was criticized for storing user login information -- username and password -- in plaintext in the web browser without any sort of protection. For some, this was a critical security risk that could easily have been avoided, for instance by implementing a master password protecting the data.
Others -- and Google -- pointed out that local access was required to access the data, and if local access was granted, the computer was compromised anyway opening other attack vectors as well.
A few days ago, security research company Identity Finder, discovered another -- related -- issue in Google Chrome. According to the company's findings, Chrome stores sensitive information, entered on https websites and services, in plaintext in the browser cache.
Note: While many believe that browser's do not cache https pages and data because of the secure nature of the connection, it needs to be noted that https contents may be cached. This depends solely on a site's or server's response headers (that are transferred to the web browser).Â If the caching headers allow the caching of HTTPS contents, web browsers will do so.
Chrome and sensitive data
Identity Finder discovered that Chrome was storing a range of sensitive information in its cache including bank account numbers, credit card numbers, social security numbers, phone numbers, mailing addresses, emails and more.
The company confirmed that these information were entered on secure websites, and could easily be extracted from the cache with search programs that scan any type of file for plaintext data.
The data is not protected in the cache, which means that anyone with access to it can extract the information. This does not necessarily mean local access, as malicious software running on a user's computer, and even social engineering, may yield the same results.
Handing over the computer to a computer repair shop, sending it in to the manufacturer, or selling it on eBay or Craigslist may provide third parties with access to sensitive information stored by the browser.
How can you protect your data against this? Google wants you to use full disk encryption on your computer. While that takes care of the local access issue, it won't do a thing against malware attacks or social engineering.
It is like saying that website operators may save passwords in plaintext in the database, as the battle is lost anyway if someone gains access to the server locally or remotely.
In regards to Chrome, the only option that you have is to clear the cache, autofill form data and browsing history regularly and preferably right after you have entered sensitive information in the browser.
You cannot automate the process using Chrome alone, but need a third party tool or extension to clear the data when you close the browser automatically.
Identity Finder only analyzed the cache of Google Chrome and if you are not using the browser, you are probably wondering if your browser stores sensitive information in plaintext as well.
Firefox, almighty when it comes to customizing the browser, lets you disable SSL caching in the advanced configuration.
- Type about:config in the address bar and hit enter.
- Confirm you will be careful if this is your first visit to the page.
- Search for browser.cache.disk_cache_ssl
- Set the preference to false with a double-click on its name to disable SSL caching.
- Repeat the process if you want to enable it again.
Firefox will use the computer's memory to cache files, which means that the information are automatically deleted when Firefox closes, and never recorded to disk.
If you do not want that either, set browser.cache.memory.enable to false as well.Advertisement
I disable cache altogether is Firefox. I don’t see any point in keeping information cached on disk, because the gain in page loading speed is minimal.
I found that every person who came up to me and recommended Chrome tends to be the type that have 30 icons on their Windows desktop and god knows how many processes running in the taskbar. In short, possers with bad thinking process. So I’ve avoided Chrome ever since.
thanks again, martin, for the quick and easy tip…always enjoy getting security tips from you.
If I understand this correctly Firefox does the same thing by default? You have to change settings to change it?
Firefox caches https pages if the websites allow it to. I do not know if if saves critical information just like Chrome does though.
This is a exactly as I expected Martin. I have also suspected this.
Hello Mr. Brinkmann and all:
I always suspected something was not right with Google Chrome . . . and now I am becoming a bit suspicious of G-Mail (my favorite e-mail place) as well!
Anyway, I was wondering . . . after I submit Sensitive information to a website I always use CCleaner to Clean Everything out . . . is CC effective in removing things from cache?
(also, I noticed that even when I am NOT using Google Chrome, CCleaner always seem to erase cookies and other junk from it. What’s up with that?)
Again, Mr. Brinkmann I am so glad you have this website as this is now my first go-to site in the morning!
Hi, if you use CCleaner and include Google Chrome in the clean-up then you should be fine. I do not know why the program finds Chrome data even if you have not used Chrome after a clean-up. That sounds mighty strange to me.
IE doesn’t store passwords in clear.
Thanks for tipping and instructing how to avoid and fix all these kinds of issues =]
Great website that I’ve only discovered recently :D
I got a Q – I usually do empty the cache every now and then – but I avoid clearing the autofill form data and browsing history – because I do want to have my history, and I naturally enjoy not-having-to-fill forms every single time… same for passwords for main websites…
Yea, I’m aware of the recent flop they had with the saved-passwords-info through settings too, but, bottom line – for the soul purpose of making sure no Credit Card \ ID info is being stored locally [through text files] wouldn’t ‘Empty the cache’ be enough?!? o.O
Thanks again, Joel
This is why I like the KWallet system in KDE. It automatically integrates with Chrome/Chromium and encrypts such data with a password of your choice, then you just enter the password again to give Chrome back access.