SEATTLE - Google has responded to assertions by data management firm Identity Finder indicating poor security design of its Chrome browser -- flaws that could expose a user's personal information to data thieves.
In response to CyberTruth's reporting on Identity Finder's findings, Google spokeswoman Leslie Miller sent us this statement:
Miller: Chrome is the most secure browser and offers you control over how it uses and stores data. Chrome asks for permission before storing sensitive information like credit card details, and you don't have to save anything if you don't want to. Furthermore data stored locally by Chrome will be encrypted, if supported by the underlying operating system. For example, Chrome OS encrypts all data stored locally by default. We recommend people use the security measures built into their operating system of choice.
CyberTruth asked Identity Finder CEO Todd Feinman to reply to Miller. Feinman's rejoinder:
Feinman: Chrome has several databases and files that store information on users' computers. One of those databases is encrypted and designed specifically to store passwords securely. However, other unencrypted databases and files store strings of text regardless of their sensitivity.
These files are where Identity Finder was able to find unprotected credit card numbers and other personally identifiable information. This means a lost or stolen computer or one infected with malware could lead to identity theft even without access to the underlying Windows account.
While it is true that Chrome permits users to clear caches, it takes a degree of tech savvy to know that information is being stored in the first place. The location (in Windows 7 and 8) of these unencrypted files that could contain sensitive information is:
File Path: %localappdata%\Google\Chrome\User Data\Default\
File Names: Current Session, Last Session, Current Tabs, Last Tab, History Provider Cache
The Windows OS supports encryption, but Identity Finder's tests confirmed that Chrome does not independently encrypt the cached data like they do passwords. And Chrome did not force or recommend that the Windows OS encrypt the data.
While it's true Chrome asks for permission before storing Autofill and Password information, it does not ask for permission before caching sensitive information like credit card details, which are stored on your computer unencrypted.
Identity Finder felt it was important for users to understand that by default Chrome stores sensitive personal information in plain text.
This is why sensitive data management practices are important for individuals and enterprises that use Chrome. Whole disk or OS encryption are good practices, but are unfortunately uncommon among typical users.
And even whole disk or OS encryption would not have prevented the exploit that Identity Finder's researchers demonstrated.