How Safe is Your Internet Browser?

Everyone who uses the internet has passwords to authenticate into their accounts. Many of us use the same password for each website; however, with the rise of password managers (like LastPass), we can generate different passwords for each website, and have it log in for us. The only password we need is the one to access the password manager! But are all password managers created equal? Browser password managers tend to be not as secure as third-party password managers.

Most of the browsers allow us to store passwords for our convenience; however, they store it insecurely. Take for example Google Chrome: if you go into Settings->Passwords, authenticate using your computer username and password, you will be able to see all saved passwords. This is extremely unsafe as anyone who have your credentials to your computer has access to all accounts that are stored in Chrome. Two factor authentication can improve the security, but is currently unavailable naively to browser password managers. Third-party extensions like LastPass supports two factor authentication. Not only are browser password managers insecure, but they can also contain zero-days (making it easier to steal the passwords by installing malware onto a system).

Recently Coinbase’s Security Team discovered an attack on their employees where advisories tried to access their credentials. It was a phishing attack that would load open Firefox and then load spyware and access the credentials stored in the browser. They did this through a chain of two zero-days which created a backdoor to access a computer. Mozilla developers were privately notified of the issue via their bug reporting messaging board but didn’t patch it until recently. Luckily, Coinbase discovered the two zero-days themselves when an adversary tried to send malware via phishing email, and they reported it again to Mozilla. If the attackers were successful, they would have recovered all the passwords stored in browsers, install malware into Coinbase’s system, and stole millions of dollars’ worth of cryptocurrency (If you want to learn about this issue, listen to Security Now Episode 720).

With these issues pointed out in bowsers, here are some ways to stay more secure:

1. Use a third-party password manager that requires two-factor authentication and encrypts stored passwords. Preferably, you would like to have it stored locally so that it makes it difficult for the advisory to access multiple users’ password managers.

2. When a browser asks you if you want to store a password locally, don’t do it. Browser password managers likely don’t encrypt stored passwords and are prone to have zero days exploited.

3. Verify where all emails are coming from before opening them and their attachments. If you can’t verify that it came from a trusted source, don’t open it. If you want to login to verify that your account isn’t hacked, go to the company’s website yourself by going to their homepage.

4. Look into third party anti-phishing and anti-virus software. This can act as an active line of defense that helps you catch malicious email or software when you can’t. Treat this as a first or last line of defense, don’t solely rely on both types of software to catch everything.

Keep in mind: the internet has many resources at your disposal; however, if you are not careful, it can be a dangerous place as well. Make sure you always update your browser to the latest patch to avoid security concerns, keep your passwords safe, and ensure you are well protected.

- Ragnar