TH16122
Detected presence of software components that can access browser databases.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
pass | medium | high | None | None |
About the issueโ
Installed software stores sensitive user information in application-specific databases. For browsers, this sensitive information includes the complete history of visited websites, autocomplete form data, saved passwords, website cookies and session information. These databases are typically not protected from unauthorized access for user convenience. Any encryption they might employ is easily bypassed, as the encryption keys are commonly stored alongside the data. For this reason, attackers often aim to gain access to browser databases and exfiltrate collected data to a remote server. While the presence of code that accesses browser databases does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that can interact with browser databases. One example of acceptable use for such functions is extending browser functionality through natively developed plugins.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1217 - Browser Information Discovery.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1217 - Browser Information Discovery (External resource - Mitre ATT&CK documentation)
- Data exfiltration (External resource - Wikipedia)