Everyday use of a web browser provides criminals with a lot of opportunities to poach your personal data, new research shows.
Everything from your location, work hours, habits, banks and passwords are available to criminals, according to cyber-intelligence firm Exabeam.
The research lays out the myriad ways criminals build what is in essence a web dossier by mining data stored in your browser.
Never presume your password is stored safely
To determine what information is stored locally in a browser, Exabeam visited the most popular Internet sites based on the Alexa Top 1,000 list.
As a result, the researchers were able to extract account usernames, associated email addresses, search terms, titles of viewed emails and documents and downloaded files.
"In addition ... if a user chose to have the browser save their password for them using the built-in password managers, we were able to extract those saved usernames and passwords for all sites tested," Exabeam said in a blog post.
Tools of the malware trade
The bad guys can harvest data stored in your browser using a variety of malware at their disposal.
In addition to infostealers and ransomware, there are free tools that dump saved passwords from Microsoft Edge, Mozilla Firefox, Google Chrome, Safari, and Opera, according to Exabeam, including one called Nirsoft.
Google did not respond to a request for comment, while a Mozilla spokesperson said that users should always update to the latest version of the browser and install an antivirus program.
“While ostensibly designed to help users recover their own passwords, [these programs] can be put to nefarious use,” Exabeam said. USB drives with specialized software can also extract data from an unlocked computer in a shared workspace.
Location data is ripe for the picking. One of the most recent high-profile cases of what can happen is the Strava fitness tracker, which unwittingly revealed the locations of U.S. military bases and the personnel on those bases, including bases in Afghanistan and Syria, according to reports.
That data can potentially be cross-referenced with social media accounts, putting the military at risk – and of course individuals too.
"While the information from apps like Strava is very focused, the information stored in your web browser is very broad and can potentially reveal all kinds of things about you, from shopping habits to medical issues to physical locations," Ryan Benson, senior threat researcher at Exabeam, told Fox News.
Benson also pointed to search engine queries that can reveal "what problems you are struggling with, what you are interested in, where you live ... Attackers can then profile you — where you go, where you work, what interests you and people you associate with — and create a targeted attack against you."
Ways to protect yourself
Benson recommends using a reputable third-party password manager, which is typically a more secure way to save passwords. He also recommends enabling multi-factor authentication.
"If you have multi-factor turned on, even if an attacker has stolen your password, they still won’t be able to access your account without also getting access to your second-factor, which is typically much more difficult," Benson said.
In the post, Exabeam also offers a chart showing how to protect yourself. In addition to third-party password managers, you can opt to disable (or choose not to enable) autofill and "save password" settings. Other strategies include browsing in “Incognito Mode” (in which browsing history is disabled), disabling cookies, and regularly clearing all (or select) browsing data.