In our last post, we discovered the trove of personal information that our web browser saves automatically, in the form of cookies, temporary Internet files, code snippets, and stored passwords. Today we learn how an attacker could use this information in further exploits against you.
Using the information stored in your browser, an attacker can build a detailed dossier about you. This information would include your public IP address, your first and last name, street address, city, state and zip code, telephone numbers, email addresses, a list of recent and frequently visited websites, and quick possibly the stored user ID and passwords needed to log on to these sites as you. Just what can the attacker do with this information?
- Account discovery. The attacker can create a profile of web site and web application use. This will include email accounts, social network accounts, financial and shopping accounts, and even work accounts that you log into remotely or at the office.
- Account credentials. And if that isn’t bad enough in itself, in many cases the attacker will have a list of passwords stored in your browser for many of these sites.
- Devices. Often the browser history will have information about the device you used to surf the web or log into an account. This can let the attacker craft exploits specifically for you iPhone or Android, Windows PC or Mac, as well as some basic demographics. More devices – more money?
- Location history. From this same source the attacker can learn your travel patterns and locations you are at when you open a browser and sign into an account. This can let an attacker know when you are at work or at home, among other things.
- Interests and habits. With the list of visited websites, the attacker and build a profile of your habits and interests, such as your hobbies, pastimes, an details such as the time of day you are likely to check your email or do your online banking. Your interests can sometimes provide information for password guessing. Depending on what your interests are, this information could be used for blackmail or extortion.
On Friday we will discuss what you can do to prevent your browser from collecting and saving some much personal information, and how to protect yourself from these sorts of attacks.
More information:
- Exabeam report
- Security and browser settings for:
MAY
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com