View Full Version : Chrome is a security nightmare, indexes your bank accounts

09-06-2008, 10:07 AM
By Humphrey Cheung
Thursday, September 04, 2008 05:41

Los Angeles (CA) – Can a browser’s search function work too well? After playing around with Google’s brand new Chrome browser, we’ve discovered that its history search box will fetch all types of data - even text from HTTPS-protected financial sites like Washington Mutual and Capital One. With a few utterly simple keywords like balance, account and Sept., everything from balance information, account numbers and even how much you spent at Costco can be pulled up.

To see all of this in action, just open up Chrome and log in to your favorite financial website. Like most important sites, it should be protected with HTTPS/SSL encryption and that should be evident in the address bar of the browser. Do the stuff you would normally do like look at your balances and gawk at your latest transactions and then open up a new tab in Chrome by clicking the “+” symbol. In the right-hand history search box, enter a few keywords and see what they get you. Surprised? I bet you are. No luck? Then try something simple like oh Visa, Mastercard, balance and account. Also try out the names and abbreviations of months like September, Sept and Sep.

If you’re like me, you probably saw account balances and some transaction details, but if you further refine your keywords you’d be able to see a lot more. We first discovered this “problem” by browsing the forensicfocus.com forums. “Problem” is in quotes because we’re not sure if this is a true vulnerability or Google Chrome’s search function working as intended – in this case, just too damn good. While playing around with the forensic implications of Chrome, “Jelle” on the forums posted that he and his partner noticed the browser was indexing information from HTTPS sites.

“One interesting finding is that in the regular browsing mode, Chrome creates a search index of the contents of a lot of the pages you visit. This allows you to do keyword searching in your own web history. On some of our tests, we found that content of https pages had been indexed as well, allowing us to retrieve our bank account details using a keyword search,” Jelle posted.

Of course after reading this I just had to give it a try and logged into my Washington Mutual and Capital One credit card accounts. I looked at my pathetically low bank account balances along with my insanely high outstanding credit card balances. Then I pulled up a recent list of transactions for the month (damn you gas prices) - on many financial websites this information is usually shown on the very first page after logging in. Then I opened up a new tab and started playing around with keywords.

Thinking like a hacker, my first plan of attack was to enumerate or list the financial services. After enumeration, I could drill down into the exact accounts and transactions. By simply typing in Visa, Mastercard, account and the names of popular banks you can find the types of accounts and which institution they belong to. In my case, Capital and Washington worked just fine. To get my account balance, I just typed in “balance” and to get transaction information I entered “transaction”. Typing in “costco” pulled up how much I spent on my last trip.

Is there a way to protect your financial information from being indexed? Google Chrome does have an incognito mode that promises to not cache anything. This can be accessed from the file menu in the upper-right corner of the window or by using the keyboard shortcut (Control Shift N). You can also clear your browser data after surfing to a financial website by going to the tools menu that’s also in the upper-right corner.

It was just yesterday that I wrote about Chrome’s security as being “not bad”, but I personally don’t get a warm and fuzzy feeling if Chrome is indexing all of my financial information. Search and indexing is what Google is good at and the company has made my life a whole lot easier in many ways, but indexing financial info is crossing the line.

On the programming level, I can’t really blame Google’s developers though because HTTPS was never meant to provide any protection anyways on the desktop itself. The protection was developed to protect traffic as it travelled through the “Wild West” Internet. But while this distinction is clear to most of our readers – the regular person probably believes HTTPS/SSL traffic is and should be protected on the desktop.

So is this all a big deal? Well anyone who wants to search your financial information would need local access to your machine and if a person is sitting at your computer, you have a lot more things to worry about than him/her using Chrome’s history search. Conceivably a hacker could develop an app to pull the cache and index files off your computer and examine them later on another machine – these files reside in the “C:\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default” folder.

But on a simpler level, if ALL of the sites I visit are being keyworded and indexed locally, then how do I know that this information will stay local. I guess that depends on how much you trust Google.