Written by Phil Muncaster, Guest Editor at ESET
Web browsers are our gateway to the digital world. We spend hours on it every day, making it not only a vital tool for legitimate users, but also a valuable target for threat actors. Over the years, they have become a repository of credentials, cookies, web searches, and other juicy information that could be targeted by cybercriminals. They can even use attacks to control your computer remotely and gain access to the network it is connected to.
The threats go beyond malicious third parties. Many users may also feel slightly uncomfortable about third-party advertisers and others accessing and tracking their personal information through the browser. Fortunately, there is a lot you can do to manage these risks.
Top Browser Threats
There are many threats: some target browsers more directly than others. Here are some of the best:
Exploitation of vulnerabilities in browsers or any plug-ins/extensions you may have installed. This tactic could be used to steal sensitive data or download additional malware. Attacks often start with a phishing email/message, or by visiting a site that has been compromised or is controlled by the attacker (drive-by-download).
Malicious plugins: There are thousands of plugins in the market, which users can download to enhance the browsing experience. However, many have privileged access to the browser. This means that malicious plugins spoofed to appear legitimate could be used to steal data, download additional malware and more.
DNS poisoning: DNS is the Internet’s address book, converting the domain names we type into IP addresses, so that our browsers show the sites we want to visit. However, attacks on DNS entries stored by your computer, or on the DNS servers themselves, could allow attackers to redirect browsers to malicious domains like phishing sites.
Session hijacking: Session IDs are issued by websites and application servers when users log on. But if attackers manage to brute force these credentials or intercept them (if they are not encrypted), then they could connect to the same sites/apps impersonating the user. From there, it is only a short step to stealing sensitive data and potentially financial details.
Man-in-the-middle/browser attackIf attackers manage to insert themselves between your browser and the websites you visit, they might be able to alter traffic, such as redirecting you to a phishing page, delivering ransomware, or stealing credentials . This is especially true when using public Wi-Fi networks.
Operation of web applications: Attacks as cross-site scripting may still target applications on your machine rather than the browser, but the latter is used to deliver or execute the malicious payload.
The privacy angle
These scenarios all involve malicious third parties. But let’s not forget the vast amounts of data that ISPs, websites, and advertisers collect about visitors every day as they browse the web.
Cookies are small pieces of code generated by web servers and stored by your browser for a period of time. On the one hand, they record information that can help personalize the browsing experience, for example by displaying relevant advertisements or ensuring that you do not have to log in to the same site several times. But on the other hand, they represent a privacy issue and a potential security risk, if hackers get hold of them to gain access to user sessions.
In the EU and some US states their use is regulated. However, when presented with a pop-up of options, many users simply click to accept the default cookie settings.
How to browse the web more securely
Users can do a lot to mitigate security and privacy risks when browsing the web. Some involve the browser directly; others are best practices that can have a positive ripple effect. Here are some key best practices:
- Keep your browser and plugins up to date to mitigate the risk of exploiting vulnerabilities. Uninstall all outdated plugins to further reduce the attack surface
- Only visit HTTPS sites (those with a padlock in the browser’s address bar), which means hackers can’t spy on traffic between your browser and the web server
- Be “phishing aware” to reduce the risk of browser threats delivered through email and online messages. Never reply or click on any unsolicited email without verifying the sender’s details. And do not disclose any sensitive information
- Think before downloading apps or files. Always go through official sites
- Use a multi-factor authentication (MFA) application to reduce the impact of credential theft
- Use a VPN from a reputable provider, not a free version. This will create an encrypted tunnel for your internet traffic to protect and hide it from third party trackers.
- Invest in multi-layered security software from a reputable vendor
- Enable automatic updates on your operating system and device/machine software
- Update browser settings to prevent tracking and block third-party cookies and pop-ups
- Disable automatic password saving in the browser, although this will impact the user experience when logging in.
Consider using a privacy-focused browser/search engine to minimize secret data sharing
Use private browsing options (e.g. Chrome Incognito mode) to prevent cookie tracking
Most of the tips above are optional and will depend on the strength of your privacy concerns. Some users are willing to accept a certain amount of tracking in exchange for a smoother browsing experience. However, security tips (like HTTPS, automatic updates, security software) are essential to reduce your exposure to cyber threats. Good navigation.