Hacking Your Browser for Further Exploits

In our last post, we discovered the trove of personal information that our web browser saves automatically, in the form of cookies, temporary Internet files, code snippets, and stored passwords.  Today we learn how an attacker could use this information in further exploits against you.

Using the information stored in your browser, an attacker can build a detailed dossier about you.  This information would include your public IP address, your first and last name, street address, city, state and zip code, telephone numbers, email addresses, a list of recent and frequently visited websites, and quick possibly the stored user ID and passwords needed to log on to these sites as you.  Just what can the attacker do with this information?

  • Account discovery.  The attacker can create a profile of web site and web application use.  This will include email accounts, social network accounts, financial and shopping accounts, and even work accounts that you log into remotely or at the office.
  • Account credentials.  And if that isn’t bad enough in itself, in many cases the attacker will have a list of passwords stored in your browser for many of these sites.
  • Devices.  Often the browser history will have information about the device you used to surf the web or log into an account.  This can let the attacker craft exploits specifically for you iPhone or Android, Windows PC or Mac, as well as some basic demographics.  More devices – more money?
  • Location history.  From this same source the attacker can learn your travel patterns and locations you are at when you open a browser and sign into an account.  This can let an attacker know when you are at work or at home, among other things.
  • Interests and habits.  With the list of visited websites, the attacker and build a profile of your habits and interests, such as your hobbies, pastimes, an details such as the time of day you are likely to check your email or do your online banking.  Your interests can sometimes provide information for password guessing.  Depending on what your interests are, this information could be used for blackmail or extortion.

On Friday we will discuss what you can do to prevent your browser from collecting and saving some much personal information, and how to protect yourself from these sorts of attacks.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.