Google Chrome's cache exposes personal data

Byron Acohido | USA TODAY

SEATTLE – A major security flaw in Google's popular Chrome browser was exposed on Thursday by data management firm Identity Finder.

The flaw comes into play anytime you type personal information into webforms at trusted websites or directly into the Chrome browser address bar.

Researchers found that Chrome's caching mechanism routinely stores names, e-mail addresses, street addresses, phone numbers, bank account numbers, social security numbers and credit card numbers directly onto your hard drive in plain text -- without your knowledge or consent.

The function of a browser cache is to store files from websites, mainly to speed display of web pages on your next visit.

It's trivial for anyone with physical access to your computer to view and copy all of this sensitive personal data. What's worse, any bad guy who has lured you into installing a data-stealing Trojan on your computer can also easily harvest this very sensitive data.

"Private information is being served on a silver platter for any criminal industrious enough to gain access," says Identity Finder CEO Todd Feinman. "This should frighten any consumer or business using Google Chrome."

Chrome is the world's third most popular web browser with a 16% market share; Firefox has a 19% share and Internet Explorer holds a 58% share, according to Net Applications.

This is the second finding of a profound Chrome shortcoming in three months. Last July, NSS Labs analyzed the privacy mechanisms built into Internet Explorer, Firefox, Chrome and Safari and found Chrome offering the poorest privacy protection.

CyberTruth has contacted Google spokeswoman Leslie Miller for comment; Miller says she's looking into it.

"By default Google Chrome stores (web) form data, including data entered on secure websites, to automatically suggest for later use," says Feinman. "This stored data is unencrypted text and accessible if your computer or hard drive is stolen or is infected with malware."

The risks of identity theft to consumers are obvious. Businesses that must comply with the payment card industry's PCI-DSS security rules could fail audits if employees are in the practice of entering credit card data in Chrome.

An extra step employees and consumers can take is to regularly clear Chrome's cache. Until Google addresses this gaping security hole, Chrome users would be wise to learn how to clear Chrome's cache, and do it often.

Security researchers have long warned Google of the dangers presented by poorly-conceived security and privacy controls. "This is no longer a theoretical risk that can be dismissed," Feinman says. "The fact that these security risks have been hard-coded into Chrome for so long only adds to the urgency for browser makers to secure all stored browser data."

It's noteworthy that this flaw is baked into Chrome's basic architecture. "If Google properly prioritizes this issue with enough resources, it can mitigate this risk very quickly," Feinman says.