It’s nice to be loved. We all appreciate the extra convenience. But all that personal information your browser stores is leaving you exposed to tracking and hacking – and it doesn’t take much for the wrong people to get their hands on it.
Welcome to the joys of ‘history sniffing’
Let’s look at the scary bits. Starting with your browser history – the long and growing list of websites you have visited. Browsers keep this log so you don’t have to keep typing long URLs when three keystrokes will do.
Unfortunately, while your browser loves making lists, ‘history sniffers’ love reading them. These include tracking companies looking at your online activity to target you with adjusted ads and messages, but also cyber-criminals customizing their online attacks to make you more likely to fall for them.
Their methods are simple and sneaky. You know how, once you visit a website, the links that lead to it are shown in a different color? At first, these sniffers would look at these differences in color to compile a list of what sites you have already visited.
When browsers figured this out, sniffers started timing how long it takes your browser to load different websites; the shorter it takes, the likelier it is that you have visited them before. Basically, a few lines of code are enough to force your browser to reveal your browsing history.
Once someone knows which websites you visit, they can trick you into giving up your login details to sensitive sites (such as your bank’s) by sending you links to fake website replicas that look exactly like the real thing — this is what’s known as a phishing scam.
Or someone could potentially expose your more, umh, embarrassing browsing habits. Imagine waking up one day to the news that someone has leaked a database of visited websites linked to actual people’s names or email addresses. Maybe you’d rather have the phish.
Your browser can reveal your password with a few clever clicks
Your browser is offering to remember your passwords for you. No more remembering and typing password after password? Sounds like an offer you can’t refuse.
Well, refuse it. Because we are about to teach you how to reveal passwords straight from the login page. It’s terrifyingly easy.
(Note: while this trick specifically works for Google Chrome, other browsers have their own version of it. Note 2: do not do this in front of anyone whom you wouldn’t want knowing your passwords.)
Go onto your email, Facebook or even online banking login page. Fill in your password. As usual, your password shows as a string of asterisks or dots that nobody can read. Safe. Good.
Now right-click on the password box and select “Inspect”. This shows you the developer section with a bunch of code, and a highlighted sentence that starts with “input type=password”. Now delete the word “password” and hit the ‘enter’ key.
Voilà. Anyone can turn those dots and asterisks into the real letters and numbers they are intended to disguise, in about five seconds and a couple of clicks.
It’s true that your browser often bypasses the login page altogether and sends you straight to your inbox or newsfeed, so there are no asterisks and dots to uncover. But if you have allowed your browser to save your password, all you have to do is log out of your account and reload the login page: your browser will populate your password box with asterisks and dots without logging you in.
And who can get a hold of them? Anyone in your household or workplace walking by your unattended computer. Anyone who finds your lost or forgotten laptop. Anyone who lures you away from your laptop at a coffee shop, even for just one minute. Anyone who straight up steals your laptop. Our point is: the “hidden” passwords you store in your browser can be revealed — just like that.
Autocomplete your way to financial Armageddon
And then there’s autocomplete, also known as auto-fill — the super convenient functionality that has saved you countless of minutes typing up your address or credit card details in online forms.
But someone has already found a way to turn that against you. They will show you a website that asks you for something simple and relatively harmless — like your name and your address. Auto-correct gets to work filling all the fields you see on the screen… except that this website has hidden fields it’s not showing you — just your browser. Your poor browser cannot tell the difference, so it goes along filling up your credit card details or whatever other information it’s being asked to provide, right in front of you yet completely hidden from sight.
Your browser thinks it’s helping you. Instead, it’s helping hackers empty your bank account.
No need to panic. Just clean up your browser gunk
Now for the good news: protecting yourself from these threats is very easy, and it includes things that you can do right this moment. And they don’t cost a thing.
Clean your browser regularly. Clearing your cookies, cache and web history after every session may be overkill for most of us, but you can get into good browser hygiene habits by doing it every two weeks or so. Does that still sound like an annoying hassle? May we suggest AVG TuneUp — our state of the art tool that cleans all the gunk off your PC, Mac or Android so you don’t have to.
Update your browser. Developers add new layers of protection against recent threats, so you want to make sure you are up to date.