By Michael Levit
Internet users often assume that recognizable,
brand-name web browsers will keep their information safe and protected. Whether
it's Chrome, Safari, or Microsoft Edge, the browsers' parent companies are
presumed to be trustworthy, so users barely question the security features any
further.
However, there are still ubiquitous risks
within the browser ecosystem, originating from both internal vulnerabilities
and external browser extensions. One of the biggest concerns comes from the
collection of PII, or personally identifiable information. PII is any
information that can be used to identify a user, whether it's through
usernames, search history, devices used, or physical location when online (e.g.
IP address).
All that information becomes fuel for identity
theft, in which attackers open bank accounts in a user's name, drain their
financials, or even use stolen emails to launch phishing attacks. That's why
PII leaks are one of leading types of data breaches. There's a lot of value all
around to be gained from PII.
But how can users protect their PII? Well
first, they need to be aware of the most common risks to their PII, and where
the threats originate from. So, let's explore the five most prevailing threats.
Spellcheck
What seems like a quite innocuous feature is
actually one of the most significant threats to PII: spellcheck. Because
spellcheck is monitoring the words a user types in order to search for spelling
errors, that means the feature is monitoring everything someone types, including personal information into
forms.
When users type their passwords, birthdates,
or even social security numbers into a form on a website, all that information
is recorded by the browser via spellcheck. Moreover, in what's known as
spell-jacking, if a user has advanced spellcheck features enabled - in which
the text goes all the way to Google for "enhanced" spelling suggestions -
basically any text entered into forms is transmitted to the browser's parent
company.
The threat is real. Advanced spellcheck
features on both Microsoft Edge and Chrome have been shown to record passwords and other PII, and then
send that data onwards to the tech giants' servers. In response to criticism, Google rebutted that users have to choose to
opt into the enhanced feature, and it comes with a warning that anything you
type will be transmitted to Google's server-although they claim they're
attempting to exclude passwords from spellcheck.
Admittedly, this seems to be more of a design
flaw than an intentional caveat. But regardless, the spellcheck feature
continues to record, transmit, and expose sensitive PII across a litany of
systems and servers, putting your information at risk.
Browser extensions and plug-ins
Browser extensions are intended to enhance the
user experience, whether by blocking ads, searching for coupons and discounts
on shopping sites, or saving your passwords under a single manager extension.
However, such browser extensions can also
introduce vulnerabilities into your browser, or even be developed with
malicious intent to directly inflict malware on your computer or harvest your
information. A study from the software company McAfee discovered five different Chrome browser extensions
that tracked users' browser activity and were discreetly collecting users' PII,
including credit card information.
Pop-up ads
While consumers tend to find pop-up ads
annoying, many don't realize they can also be dangerous. Pop-up ads on websites
may force a user to interact with the pop-up by making it difficult to close
the ad. In the process, the ads might prompt the user to input sensitive
information, or cause malware to download onto the user's device.
Pop-up ads aren't just deployed on nefarious
websites, but seemingly benign websites as well: the website in question might
have been compromised, or it may be using a third-party ad company that doesn't
properly vet the ads.
To protect against pop-ups, an ad-blocking
extension is recommended, which may be contradictory given the above advice on
extensions. Just ensure you opt for a reputable extension with an adequate
security architecture in place, like AdBlock or uBlock Origin, that are highly
reviewed and only available on official browser web stores.
Alternatively, you can opt for a browser with
an ad blocker built into the design, minimizing the amount of supplementary
extensions you need to install that add risk.
Malicious redirects
Sometimes, an otherwise trustworthy website
may redirect you to another site that's clogged with malware because the site
has been compromised. This can occur when an attacker breaks into a trusted
website and injects code that automatically redirects visitors to another site,
likely a malware-distribution or credential-harvesting site. Users may not even
realize they've been redirected to an entirely different site, but with a
similar looking URL. Then the user may enter login credentials into the phony
site.
This "open redirect" occurs when a website
fails to adequately validate user input, meaning testing any data typed by a
user into a website, to ensure it's not malicious code. This lack of vigilance
allows cybercriminals to manipulate legitimate URLs to redirect victims to
malicious sites.
Breached central security
Harvesting PII through user activity, whether
via phishing, fake credentials, or keylogging, is pretty standard procedure for
hackers. But often there are more high-profile attacks targeting a web
browser's central databases.
We enter a lot of PII into web browsers,
making browsers' servers highly lucrative targets and thereby tempting for
attackers. Last year, Chrome issued an official statement that warned its 2.6
billion users to expect more cyberattacks in the future, as
cybercriminals were becoming increasingly sophisticated with their methods of
attack and finding new vulnerabilities to exploit.
Moreover, Chrome admitted to simply having a
bigger target on its back than other browsers due to the sheer volume of its
users.
Final thoughts
So, even if you're taking individual steps to protect
your PII, it doesn't necessarily guarantee your PII is protected at the source
where it's stored. It's therefore advisable to opt for a more secure, trusted,
and transparent browser. Nix the ones that use spell check to glean PII, the
ones that require external features to create a smooth browsing experience, and
the ones that are inevitably going to be targeted time and time again due to
their high profile - at least until such time as the browsers in question can
find ways to successfully mitigate privacy threats.
Sometimes the major players are not always
better, and it may be time to look into smaller alternatives. Rather than
choosing browsers that wheel and deal with hundreds of millions of users'
information, opt for a browser that specializes more in quality than quantity.
And quality should be inseparable from security.
##
ABOUT THE AUTHOR
Michael Levit – CEO of Tempest
Analytical and entrepreneurial leader, advisor, and angel investor with a passion for Consumer Internet both direct (B2C) and indirect (B2B2C). 20 years of progressive experience spanning Product, Business and Corporate Development, Strategy and Marketing. Raised over $200MM in debt and equity and created businesses generating $80MM+ in EBITDA/ year. History of building teams around the globe and growing entrepreneurial projects into large offerings. Love breaking down complex consumer problems and advising startups on how to solve them.
Michael is also an angel investor with investments including Docker, August, Say Media, Patients Know Best, Namo Media (Twitter), Joy Ride (Google), and Socialcam (Autodesk).