startpage

Chrome’s Solution to the Unsavvy Poses A Potential Risk

Don’t get me wrong, I love Chrome, I think it’s a fantastic browser and has a great track record of protecting users from exploits and malicious sites.  However, their attempts at making it “easier” for users to find where they want to go, makes me think that their security purview isn’t focused enough on the internal threats.

So, if you use Chrome, you might have noticed that anytime you open up a window or a new tab, you get something like this:

startpage

A nice search bar, which I have no problem with, and then a listing of your most visited sites.  Now, to the casual observer I am sure there is nothing wrong here. Users visit certain sites more frequently and therefore it should be easy for them to get there quickly, Chrome makes this possible.

The Downside

Consider, if you will, someone who you don’t know, getting on your system or even looking over your shoulder. Maybe, they cracked your systems login password or you maybe you didn’t have one at all.  Once they open the browser, they are instantly given access to not only your personal surfing habits, but also how you interact with social media, email and where you bank.

If you were in an office environment and left your desk quickly to use the restroom, a stranger or co-worker could hop onto your system and open up one of the commonly visited sites that you might still be logged into.

They can do this just by opening a new tab and thereby cause all kinds of havoc.

The above screenshot shows a scenario where you could easily tell that this person banks with Bank of America and based on that information alone, an attacker or even just someone nosey could create a profile on you.

They could also see that this person spends a LOT of time on Reddit, Buzzfeed and Amazon, using a spear phishing attack against this person would be easy if an attacker masked their identity as the Admin at Buzzfeed or some reseller at Amazon.

This information could be used against you without even having access to your system, just walking by while you were opening a new tab.

So how do you get rid of this potential threat?

Clear your Browsing Data

We have all heard for many years how important it is to clear out browsing, data, be it your history, temp internet files, etc. However, the browser vendors never make it easy as they seem to frequently change around where they put the option to accomplish such a task. So, here is a step-by-step tutorial on it:

Without your browsing data, Chrome won’t be able to populate the start page with anything meaningful.  To do this simply click on the icon to the right of the URL bar and select ‘Settings’

Next, scroll to the bottom of the settings tab and select ‘Show Advanced Settings’

Settings2

After that, go ahead and scroll down to the Privacy section and click on “Clear Browser Data”

Settings3

I highly recommend deleting EVERYTHING from THE BEGINNING OF TIME but that is just me, you should be good just deleting your browsing history, download history, cookies and plug-in data and emptying the cache, I still recommend from THE BEGINNING OF TIME though.

Settings5

After you restart your browser, you should no longer have any sign of your browser habits apparent on the start screen:

startpage3

If the first method is too time consuming and you would rather just not bother with it every time you decide to surf the web, try the second method

Install a Start Page Redirect Extension

My second and greatest recommendation is to use a special extension for your browser that can redirect when you open a new tab to any page you want.  To do this go back to the settings tab and on the left side click on “Extensions”, then “Get More Extensions” and a new tab should open up. From there, type into the search bar to the top left of the page “New Tab Redirect”

NewTabRedirect

In the “Extensions” search listing, you should find an entry for “New Tab Redirect” go ahead and install that by clicking on the blue, “+ Free” button to the right of it.

NewTabRedirect2

Once the extension is done installing, it will open up a page that gives you the chance to modify the extensions Options. Click on that and at the top of the page you will be given the chance to type in any website you want to open when you open a new tab.

In the example above I present a pretty decent option for you. ;P Though you could easily just type in ‘google.com’. Once done, restart your browser and from now on, when you open a tab, all you will see is your custom defined page.

startpage4

Incognito Mode

So Chrome has a special “mode” that it can go into that saves no information whatsoever to your system when you visit websites and it is accessible by pressing Ctrl+Shift+N in Windows or ⌘-Shift-N on a Mac.

incognito

This mode is a great option if you want to go unnoticed on the net, however it doesn’t protect against human behavior, and therefore, Google provided a list of possible threats that Incognito mode won’t save you from.

incognito2
Well, it can’t do what I need it to do then.

We use technology in every aspect of our lives these days and with that benefit and privilege comes a responsibility from ourselves to keep things private and secure from wandering eyes or malicious forces.

There are of course numerous other methods of protecting your browsing habits from wrong-do’ers and if you were targeted by a remote access trojan, such as BlackShades, it would be a matter of just a few clicks to determine where you go the most, and a few more to determine your credentials.

Though using common security practices, like the one described in this blog post, will keep you safe from the people who are bordering on malicious or just bored.

Thanks for reading and safe surfing! DFTBA!

ABOUT THE AUTHOR

Adam Kujawa

Director of Malwarebytes Labs

Over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.