Tuesday, January 17, 2017

(Browser) Caching Fire

   Someone recently asked me a question about the safety of allowing your web browser to save, and then auto-fill, passwords.  That's a very timely question because that issue has been in the news lately.

   Web browsers have all kinds of built-in capabilities.  One "feature" that is only a few years old is the ability to save information you might put into forms such as: your name and address, phone number and other contact info, credit card information.  Browsers can also save your userids and passwords for sites, then automatically fill in that info when you visit the site.

   I've always said that security-minded people should not allow web browsers to save this kind of personal and security info.  This is primarily because all browsers have a track record of having many vulnerabilities.  I've always "said" this but, as it turns out, I've never written about it!  It's about time! [Note... or so I thought! While looking for some other info, I found that I did talk about this issue back in 2013!]

   There are two primary reasons why allowing the browser to save sensitive information is a bad idea:
  1. Copycat and phishing websites can grab information directly your browser has stored without your knowledge.  This is the problem that was recently announced.
  2. As I just mentioned, browsers have many vulnerabilities and exploits. At this year's Pwn2Own contest (a 2-day event at which teams compete to exploit software vulnerabilities for cash prizes), all of the major browser fell victim!
   The latest issue that was discovered occurs when you are lured to a specially crafted website.  That happens more often than you might think
and can be caused by a phishing email or other malware attacks.  The malicious website has fillable fields that are hidden, so it grabs information out of the data stored by your browser, and you can't see that happening.

   If you want to learn more about this, here are a number of articles covering this issue. If you want to dive deeper, here is a detailed research paper from Stanford.

   But saving this form-fill information in the browser and auto-filling with 1 click is convenient!  That is very true.  Fortunately, there's another way to solve this problem.  We've talked about this many times before... use a password vault!

   If you read the Stanford paper, they note that some password vaults could be fooled by the same issues affecting browsers.  However, the password vault vendors are very quick to patch the problems.

   At home or in the office, you should not save any sensitive or confidential information, including passwords, in your browser.  But, at the office, please check with your IT security staff and policy before making any browser setting changes.

   If you're not sure how your browser is configured, or you want to prevent your browser from filling out forms or from saving passwords, here are the instructions:
   How to Disable and Clear AutoFill Info in your Browser
   Turn off the built-in password manager in your browser

   And, for a bit more fun on the topic, here's a great aticle:  5 Password Management Tools Compared: Find the One That’s Perfect for You

No comments:

Post a Comment