You're very careful with sensitive personal data like your credit card number, right? Before filling a Web form with this kind of information, you always check the Address Bar for the padlock that indicates a secure connection. But if you use Google Chrome for your browser, all your precautions are for naught. The sensitive data specialists at Identity Finder report that Chrome keeps local copies of that data in databases that aren't secured at all.

Not the First Time

This isn't the first time Chrome has come under fire for failing to protect users' privacy. A study by NSS Labs a few months ago evaluated the latest versions of Internet Explorer, Firefox, Chrome, and Safari. They checked each browser's default configuration for handling of various privacy-related issues, among them third party cookies and geolocation. Internet Explorer came out a clear winner here, while Chrome's privacy protection was the poorest.

What's the Risk?

Researchers at Identity Finder scanned computers belonging to several employees using the company's in-depth Sensitive Data Manager. The scan found tons of private information in Chrome's SQLite databases and protocol buffers, including "names, email addresses, mailing addresses, phone numbers, bank account numbers, social security numbers and credit card numbers." This data was exposed for every employee who used Chrome as a primary browser.

Anyone with physical access to the computer or access across the local network can easily read out all of this sensitive personal data. It could also be sifted out and phoned home by a data-stealing Trojan. To double-check that this is a real danger, the researchers cobbled up a proof-of-concept exploit. According to the report, "Attackers could acquire vast amounts of personal information without requiring users to enter anything into a form, or system credentials." In addition, if you sell an old computer without completely overwriting and wiping its hard drive, the buyer could easily access all of this stored information.

The report notes that these risks have been around since Chrome 2.0, and that other browsers may share similar vulnerabilities. Google has been notified of the findings, but hasn't yet responded.

What Can You Do?

Naturally the report encourages all browser makers to beef up security and definitely refrain from storing sensitive data in unprotected databases. Meanwhile, you can take matters into your own hands. Any time you complete a transaction involving sensitive personal data, delete your recent browsing history. In Internet Explorer, Firefox, or Chrome, pressing Ctrl+Shift+Del brings up a window that lets you clear specified data during a specified time period. You can clear just the last hour, if you like, or clear your browsing history "from the beginning of time."

If you're currently relying on Chrome as your primary browser, review the infographic below (you can click on it for a larger image). Maybe it's time to switch back?

Further Reading

Security Reviews