News & Resources

Google Chrome may leave users vulnerable to theft of private data

Oct 17, 2013 Dave King

Google Chrome may leave users vulnerable to theft of private data

Users of Google's web browser, Chrome, might have reason to double-check their consumer credit data. Despite the Mountain View, Calif.-based company's reputation for cutting-edge technology, the security settings of the browser may leave it vulnerable to the theft of sensitive data.

Researchers at Identity Finder recently conducted a study of the security of Chrome among a select number of employees who use it as their primary web browser. The company's Sensitive Data Manager tool found that a range of Chrome's SQLite and protocol buffers store data without many users' knowledge, including Social Security numbers, bank account information and credit card numbers, as well as more basic information like names, home addresses and phone numbers. A subsequent review of Chrome on the computers of all Identity Finder employees who used the browser found that Chrome's storage of this kind of data was all but universal.

Perhaps most worrying is that the browser appeared to lack sufficient protection of user data, including encryption.

"Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system or simple malware," Identity Finder wrote. "Someone with access to a hard drive, for example after a computer is sold on Craigslist, would have access to all of this information, even if it is deleted."

Google counters the claims

The technology giant responded to the allegations of Chrome's poor protection of private data by reaffirming the security of the browser and pointing out details the Identity Finder report missed.

In a statement provided to USA Today, Leslie Miller, spokeswoman for Google, pointed out that much of the control in protecting private data on Chrome is in the hands of the user. The platform will never store particularly sensitive data like credit card and bank account information without first asking permission from the user. Furthermore, all locally stored data in Chrome is encrypted, assuming the user's computer operating system (OS) supports the feature.

However, the response to Miller's comments provided by Identity Finder CEO Todd Feinman suggested that the Google representative may have been leaving out some of the details herself.

"Chrome has several databases and files that store information on users' computers," Feinman noted, according to the news source. "One of those databases is encrypted and designed specifically to store passwords securely. However, other unencrypted databases and files store strings of text regardless of their sensitivity."

Feinman also pointed out in his comments to USA Today that despite the support of encryption on the Windows OS, Chrome itself does not force the OS to encrypt sensitive data in the cache.

What companies can do
While individuals concerned about identity theft enabled by the potential flaws in Chrome should check their consumer credit reports, companies who encourage use of the browser might consider what practices they can put in place to protect themselves and their employees.

The problem is particularly relevant to companies with bring-your-own-device (BYOD) policies, whose employees are accessing Chrome on their smartphones or tablets in addition to computers. According to The Verge, Google has even released an updated version of Chrome for its rival Apple's new operating system iOS 7. Cite World recommended that users not only ask Chrome to sync data on all their devices that run the browser, but to encrypt it as well by using a custom syncing passphrase. A company-wide policy of this kind for Chrome may be of benefit.

Furthermore, HKLiquidations suggested that businesses upgrading their computers should ensure old electronics are disposed of properly, as the hard drives of these devices invariably contain some sensitive information which could be accessed by tech-savvy identity thieves.