Why Google Chrome May Be an Identity-Theft Risk

Web browsers are among the most frequently used computer applications. Every day, browsers let hundreds of millions of people catch up on news, send email messages, shop and more. In fact, you're probably using a Web browser right now to read this article.

However, some browsers — for example, Microsoft Internet Explorer — have the reputation, deserved or not, of being insecure and slow. Other browsers, such as Google Chrome, have the reputation of being safe and fast.

But Chrome may not actually be all that secure. Researchers at New York-based security firm Identity Finder recently conducted a search for personally identifiable information (PII) found on typical business users' computers.

The Identity Finder researchers revealed that Chrome created several files on a computer's hard drive that stored sensitive information useful to spies and identity thieves — including names, email addresses and bank-account numbers.

MORE: 10 Best Ad Blockers and Privacy Extensions

Even if users were to type such information into a secure website, Chrome would save the data in an unsecure manner.

"Chrome browser data is unprotected, and can be read by anyone with physical access to the hard drive, access to the file system or [by] simple malware," said a posting on the Identity Finder blog. "There are dozens of well-known exploits to access payload data and locally stored files."

In an accompanying statement, Identity Finder CEO Todd Feinman explained how these vulnerabilities could endanger Chrome users.

"With most sensitive data stored by Chrome, such as passwords, the only way for malware or a hacker to gain access is if a user is logged in," Feinman said.  "However, in this case, some information is stored in clear text and is accessible whether or not the user is logged in."

"By default, Google Chrome stores form data, including data entered on secure websites, to automatically suggest for later use," Feinman explained in the statement. "This stored data is unencrypted text and accessible if your computer or hard drive is stolen or is infected with malware."

In response to Identity Finder's blog posting, a Google spokeswoman told USA Today that "you don't have to save anything if you don't want to," and that "data stored locally by Chrome will be encrypted, if supported by the underlying operating system."

"We recommend people use the security measures built into their operating system of choice," the Google spokeswoman said.

How Chrome doesn't secure your data

Most Web browsers prompt users to store personally identifiable information in the browser for ease of access to frequently visited websites.

For example, when Chrome detects a user entering his own name into an online form field, such as on Amazon.com, it will prompt the user to let the browser automatically fill in his name, address, telephone number and other data.

Other browsers do this too, but each stores the information in its own way, said Tom Gorup, security operations center analyst with Rook Consulting, an IT consulting company based in Indianapolis and San Jose, Calif.

Microsoft Internet Explorer 10 stores personally identifiable information within the registry file of the host computer, whereas Mozilla Firefox stores the user's data in an encrypted text file, Gorup said.

"Attackers can make a good assumption as to what is stored in these encrypted files," Gorup said, "which will then allow them to make an assessment as to what the user's personal identifiable information is and how valuable it might be."

How Chrome syncs your browser history

The problem gets more complicated when it comes to online search queries and Web browser history, both of which are being synchronized across many devices in this era of automatic cloud-based file sharing.

If a user is logged in to a Google account, the Chrome search history and browser history on one machine will sync with the Chrome browsers on all of the user's other devices, including PCs, Macs, Linux machines, Chromebooks and Android smartphones and tablets.

Each iteration of Chrome will be functionally identical to all the others, with the same history, bookmarks, apps and recently visited Web pages.

That may not sound so risky, but if even one of those many devices isn't password-protected, other users can have a peek.

"On one level, syncing is always a potential security risk," said Aaron Titus, Identity Finder's chief privacy officer and general counsel. "Any time information is automatically and seamlessly shared between devices, there is a risk that some of the information was not intended to be shared with another device."

Chrome isn't the only browser that allows cross-platform syncing, but others handle it differently.

Gorup said Microsoft has multiple apps that sync data across Windows 8, Windows Phone and Windows RT devices. Microsoft's search engine Bing has its own apps that can sync across all Microsoft devices, depending on user preferences.

Meanwhile, Apple's iOS and OS X devices use the iCloud platform to sync user data among Macs, iPhones and iPads, including Safari bookmarks and open tabs. (Browser history is not synced by iCloud.)

MORE: How Apple OS X Mavericks Falls Short on Security

Why no browsers are truly safe

The new-found vulnerabilities in Chrome raise an important question: Is any browser really secuire?

Unfortunately, no, Gorup said.

"Browsers will always be the most targeted and scrutinized software, due to the simple fact that they are the first, and usually last, line of defense," he said.

Follow us @tomsguide, on Facebook and on Google+.

Sue Marquette Poremba is a security and technology writer based in Central Pennsylvania.