Google Chrome users are vulnerable to sensitive data theft

Pierluigi Paganini October 16, 2013

Security experts at Identity Finder demonstrated that Google Chrome users are vulnerable to sensitive Data Theft because the browser stores it unencrypted.

Google Chrome is today the most diffused web browser, nearly 39% of internet users have chosen it according the data proposed by StatCounter. The reason of the success behind Google Chrome is its efficiency and simplicity of use, but what can we say about the security? How Google Chrome manage and protect users’ data?

Google Chrome stats

Security experts at Identity Finder published an interesting blog post to highlight a series of security flaws in Google Chrome that could allow an attacker to steal personal data archived in the history files.

Experts at Identity Finder demonstrated different  methods to access personal data from the History Provider Cache in Google Chrome using their Sensitive Data Manager application, even if those data has been submitted through a secure website.

The purpose of the post is to inform Google Chrome that their browser stores sensitive data unencrypted with obvious risks.

The flaws exploitable in Google Chrome are related to SQLite and protocol buffers, used by the popular browser as storage for user’s personal data including names, email, phone numbers, bank details, credit card and social security numbers.

Google Chrome stats Sensitive Data

“Despite employees having entered this information on secure websites, Chrome saved copies of this data in the History Provider Cache. Other SQLite databases of interest include “Web Data” and “History.”  On Windows machines, these files are located at

"%localappdata%\Google\Chrome\User Data\Default\.” 

The attacker needs to have a physical access to the user’s machine, the same results could be obtained if a malicious code is specifically written to exploit well known vulnerability in Google Chrome.

“Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system, or simple malware,” noted the researchers. “There are dozens of well-known exploits to access payload data and locally stored files.”

Earlier this year, software designer Elliott Kember revealed how to expose users’ passwords saved by Google Chrome simply visiting viewing Chrome’s settings stored under the path chrome/settings/passwords in plain text.

Identity Finder security experts have provided the following Infograph to sensibilize Google Chrome users on the risks of exposure for their data.

Gogole Chrome Infograph

Identity Finder has notified Google of the risk related to the exploit of the flaw, but have not yet received responses. Waiting for Google reply the experts provided the following suggestions:

“Anytime you enter a credit card number or other PII into a form, be sure to “Clear saved Autofill form data”, “Empty the cache”, and “Clear browsing history” from the past hour and the information you typed will be erased. Alternatively, disabling Autofill or using Incognito mode will protect form data.”

Pierluigi Paganini

(Security Affairs –  Google Chrome, privacy)

you might also like

leave a comment