User Profiles: The Achilles' Heel of Web Browsers
Dolière Francis Somé, Moaz Airan, Zakir Durumeric, Cristian-Alexandru Staicu
TL;DR
This work reveals that modern browser profiles store highly sensitive data (cookies, passwords, extensions, and device permissions) in on-disk locations with limited integrity or confidentiality protections, making them vulnerable to file-system attackers. It demonstrates end-to-end attacks that exploit both local access and the Web via the File System Access API to hijack sessions, inject malicious extensions, alter permissions, and mount MiTM traffic, including from weak web adversaries. The authors propose practical countermeasures such as machine-bound, encrypted, and opaque profiles, stronger separation of data and code, and OS-level safeguards, along with a discussion of vendor, user, and OS responsibilities. They also provide a proof-of-concept encryption scheme and a user study showing that users may unknowingly grant FSA permissions, underscoring the need for robust protections as browsers increasingly expose file-system capabilities. Overall, the paper highlights a significant and evolving threat landscape at the intersection of browser persistence, user data, and web-accessible APIs, urging concerted improvements from vendors, OSes, and researchers.
Abstract
Web browsers provide the security foundation for our online experiences. Significant research has been done into the security of browsers themselves, but relatively little investigation has been done into how they interact with the operating system or the file system. In this work, we provide the first systematic security study of browser profiles, the on-disk persistence layer of browsers, used for storing everything from users' authentication cookies and browser extensions to certificate trust decisions and device permissions. We show that, except for the Tor Browser, all modern browsers store sensitive data in home directories with little to no integrity or confidentiality controls. We show that security measures like password and cookie encryption can be easily bypassed. In addition, HTTPS can be sidestepped entirely by deploying malicious root certificates within users' browser profiles. The Public Key Infrastructure (PKI), the backbone of the secure Web. HTTPS can be fully bypassed with the deployment of custom potentially malicious root certificates. More worryingly, we show how these powerful attacks can be fully mounted directly from web browsers themselves, through the File System Access API, a recent feature added by Chromium browsers that enables a website to directly manipulate a user's file system via JavaScript. In a series of case studies, we demonstrate how an attacker can install malicious browser extensions, inject additional root certificates, hijack HTTPS traffic, and enable websites to access hardware devices like the camera and GPS. Based on our findings, we argue that researchers and browser vendors need to develop and deploy more secure mechanisms for protecting users' browser data against file system attackers.