Virtualization Technology News and Information
The 5 Most Common Privacy Threats to Consumers on the Web

By Michael Levit

Internet users often assume that recognizable, brand-name web browsers will keep their information safe and protected. Whether it's Chrome, Safari, or Microsoft Edge, the browsers' parent companies are presumed to be trustworthy, so users barely question the security features any further.

However, there are still ubiquitous risks within the browser ecosystem, originating from both internal vulnerabilities and external browser extensions. One of the biggest concerns comes from the collection of PII, or personally identifiable information. PII is any information that can be used to identify a user, whether it's through usernames, search history, devices used, or physical location when online (e.g. IP address).

All that information becomes fuel for identity theft, in which attackers open bank accounts in a user's name, drain their financials, or even use stolen emails to launch phishing attacks. That's why PII leaks are one of leading types of data breaches. There's a lot of value all around to be gained from PII.

But how can users protect their PII? Well first, they need to be aware of the most common risks to their PII, and where the threats originate from. So, let's explore the five most prevailing threats.


What seems like a quite innocuous feature is actually one of the most significant threats to PII: spellcheck. Because spellcheck is monitoring the words a user types in order to search for spelling errors, that means the feature is monitoring everything someone types, including personal information into forms.

When users type their passwords, birthdates, or even social security numbers into a form on a website, all that information is recorded by the browser via spellcheck. Moreover, in what's known as spell-jacking, if a user has advanced spellcheck features enabled - in which the text goes all the way to Google for "enhanced" spelling suggestions - basically any text entered into forms is transmitted to the browser's parent company.

The threat is real. Advanced spellcheck features on both Microsoft Edge and Chrome have been shown to record passwords and other PII, and then send that data onwards to the tech giants' servers. In response to criticism, Google rebutted that users have to choose to opt into the enhanced feature, and it comes with a warning that anything you type will be transmitted to Google's server-although they claim they're attempting to exclude passwords from spellcheck.

Admittedly, this seems to be more of a design flaw than an intentional caveat. But regardless, the spellcheck feature continues to record, transmit, and expose sensitive PII across a litany of systems and servers, putting your information at risk.

Browser extensions and plug-ins

Browser extensions are intended to enhance the user experience, whether by blocking ads, searching for coupons and discounts on shopping sites, or saving your passwords under a single manager extension.

However, such browser extensions can also introduce vulnerabilities into your browser, or even be developed with malicious intent to directly inflict malware on your computer or harvest your information. A study from the software company McAfee discovered five different Chrome browser extensions that tracked users' browser activity and were discreetly collecting users' PII, including credit card information.

Pop-up ads

While consumers tend to find pop-up ads annoying, many don't realize they can also be dangerous. Pop-up ads on websites may force a user to interact with the pop-up by making it difficult to close the ad. In the process, the ads might prompt the user to input sensitive information, or cause malware to download onto the user's device.

Pop-up ads aren't just deployed on nefarious websites, but seemingly benign websites as well: the website in question might have been compromised, or it may be using a third-party ad company that doesn't properly vet the ads.

To protect against pop-ups, an ad-blocking extension is recommended, which may be contradictory given the above advice on extensions. Just ensure you opt for a reputable extension with an adequate security architecture in place, like AdBlock or uBlock Origin, that are highly reviewed and only available on official browser web stores.

Alternatively, you can opt for a browser with an ad blocker built into the design, minimizing the amount of supplementary extensions you need to install that add risk.

Malicious redirects

Sometimes, an otherwise trustworthy website may redirect you to another site that's clogged with malware because the site has been compromised. This can occur when an attacker breaks into a trusted website and injects code that automatically redirects visitors to another site, likely a malware-distribution or credential-harvesting site. Users may not even realize they've been redirected to an entirely different site, but with a similar looking URL. Then the user may enter login credentials into the phony site.

This "open redirect" occurs when a website fails to adequately validate user input, meaning testing any data typed by a user into a website, to ensure it's not malicious code. This lack of vigilance allows cybercriminals to manipulate legitimate URLs to redirect victims to malicious sites.

Breached central security

Harvesting PII through user activity, whether via phishing, fake credentials, or keylogging, is pretty standard procedure for hackers. But often there are more high-profile attacks targeting a web browser's central databases.

We enter a lot of PII into web browsers, making browsers' servers highly lucrative targets and thereby tempting for attackers. Last year, Chrome issued an official statement that warned its 2.6 billion users to expect more cyberattacks in the future, as cybercriminals were becoming increasingly sophisticated with their methods of attack and finding new vulnerabilities to exploit.

Moreover, Chrome admitted to simply having a bigger target on its back than other browsers due to the sheer volume of its users.

Final thoughts

So, even if you're taking individual steps to protect your PII, it doesn't necessarily guarantee your PII is protected at the source where it's stored. It's therefore advisable to opt for a more secure, trusted, and transparent browser. Nix the ones that use spell check to glean PII, the ones that require external features to create a smooth browsing experience, and the ones that are inevitably going to be targeted time and time again due to their high profile - at least until such time as the browsers in question can find ways to successfully mitigate privacy threats.

Sometimes the major players are not always better, and it may be time to look into smaller alternatives. Rather than choosing browsers that wheel and deal with hundreds of millions of users' information, opt for a browser that specializes more in quality than quantity. And quality should be inseparable from security.



Michael Levit – CEO of Tempest

Michael Levit 

Analytical and entrepreneurial leader, advisor, and angel investor with a passion for Consumer Internet both direct (B2C) and indirect (B2B2C). 20 years of progressive experience spanning Product, Business and Corporate Development, Strategy and Marketing. Raised over $200MM in debt and equity and created businesses generating $80MM+ in EBITDA/ year. History of building teams around the globe and growing entrepreneurial projects into large offerings. Love breaking down complex consumer problems and advising startups on how to solve them.

Michael is also an angel investor with investments including Docker, August, Say Media, Patients Know Best, Namo Media (Twitter), Joy Ride (Google), and Socialcam (Autodesk).

Published Thursday, November 17, 2022 7:34 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>