Hacking Your Browser for Further Exploits

In our last post, we discovered the trove of personal information that our web browser saves automatically, in the form of cookies, temporary Internet files, code snippets, and stored passwords.  Today we learn how an attacker could use this information in further exploits against you.

Using the information stored in your browser, an attacker can build a detailed dossier about you.  This information would include your public IP address, your first and last name, street address, city, state and zip code, telephone numbers, email addresses, a list of recent and frequently visited websites, and quick possibly the stored user ID and passwords needed to log on to these sites as you.  Just what can the attacker do with this information?

  • Account discovery.  The attacker can create a profile of web site and web application use.  This will include email accounts, social network accounts, financial and shopping accounts, and even work accounts that you log into remotely or at the office.
  • Account credentials.  And if that isn’t bad enough in itself, in many cases the attacker will have a list of passwords stored in your browser for many of these sites.
  • Devices.  Often the browser history will have information about the device you used to surf the web or log into an account.  This can let the attacker craft exploits specifically for you iPhone or Android, Windows PC or Mac, as well as some basic demographics.  More devices – more money?
  • Location history.  From this same source the attacker can learn your travel patterns and locations you are at when you open a browser and sign into an account.  This can let an attacker know when you are at work or at home, among other things.
  • Interests and habits.  With the list of visited websites, the attacker and build a profile of your habits and interests, such as your hobbies, pastimes, an details such as the time of day you are likely to check your email or do your online banking.  Your interests can sometimes provide information for password guessing.  Depending on what your interests are, this information could be used for blackmail or extortion.

On Friday we will discuss what you can do to prevent your browser from collecting and saving some much personal information, and how to protect yourself from these sorts of attacks.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.