Using Identity Finder's Sensitive Data Manager software, company researchers conducted a search for personally identifiable information (PII) across typical business users' computers. Among staff who used Google Chrome as a primary browser, Sensitive Data Manager pinpointed several files (notably the History Provider Cache) storing a range of information including names, email addresses, mailing addresses, phone numbers, bank account numbers, social security numbers and credit card numbers. Despite users having entered this information on secure websites, Google Chrome saved an unencrypted copy of data entered into web forms and the address bar (omnibox) on each employee's hard drive.
After discovering the vulnerable sensitive data, Identity Finder researchers demonstrated a proof-of-concept exploit that would allow malicious code to upload this Chrome cache data to a third party site. In this attack scenario, a criminal would only have to trick users into allowing the exploit access to their file system. The exploit does not require users to enter sensitive information, their system credentials or to decrypt any stored data.
"With most sensitive data stored by Chrome, such as passwords, the only way for malware or a hacker to gain access is if a user is logged in. However, in this case some information is stored in clear text and is accessible whether or not the user is logged in,' said
Any business that must comply with PCI-DSS is at increased risk of failed audits and increased costs because employees entering credit card data in Chrome are inadvertently expanding their cardholder data environment. Identity Finder's findings underscore the need for sensitive data management practices at home and in the enterprise.
Employees and consumers can easily protect themselves by following good sensitive data management practices. Anytime a credit card number or other PII is entered into a form, simply "Clear saved Autofill form data' , "Empty the cache' and "Clear browsing history' from the past hour and restart Chrome, and the information will be erased. Alternatively, disabling Autofill or using Incognito mode will protect form data.
For more information on how to clear Autofill data or how you might be affected, visit http://www.identityfinder.com/blog/?p=88.
Most Popular Stories
- Bipartisan Budget Deal Gets Key Support in House
- Bitcoin Clones Lurch Onto Financial Scene
- Clinton to Keynote Annual Simmons Leadership Conference
- TFA Recruiting DACA Recipients
- Scotch Whisky Sales Raise Distillers' Spirits
- Holiday Shopping Off to a Slow Start This Season
- Fake Deaf Interpreter Was Hallucinating, Has Schizophrenia
- Tea Party Glum in Face of Bipartisan Budget Deal
- Budget Deal Will Cut 220,000 Californians Out of Jobless Benefits
- Health Coverage Disparities Emerge Among States