TransWikia.com

How safe is opening any website on new browser tab?

Information Security Asked by NKL on October 28, 2021

When I do online shopping where I use my credit card information to purchase, I clear the browser cache, cookies and only open that single site. After I am done, I again clear the cache, cookies and start with my regular browsing. I do this to ensure any other websites that I open on a new tab do not sneak into my credit card information. Is this even possible or just a myth?

So if I wish to open "any" site on a new tab while doing my online shopping, is it safe or do I have to clear cookies every time and open only one site?

3 Answers

The only useful thing about your routine is cleaning the cookies. It's not useful in itself, it is just that, this way, you delete your login session and so a new login (which requires inputting a secret like a password) is required to interact with the shopping site. A better alternative (in terms of your user experience and security) would be logging out from the site.

It goes untold that the CCs information is not stored in your computer but in the servers managed by the shopping site company. So that cannot be stolen from your browser and without a valid login session, no sane shopping site would allow sensible operations. If the shopping site is vulnerable, you've already lost. If you saved your CCs in the browser (is this possible? I hope it's not just form auto-filling) they cannot be stolen from third parties (see below).

Note also that any attack that can be performed on a login session from another tab, can also be performed later when the victim site's tab had already been closed. Granted that the login session persists, client-side, after the closing (which is not the case if you log out or clear the cookies when done or wait enough time).

This is because browsing happens at discrete times and the sites cannot actually tell if the user is still viewing their page. From the shopping site's POV, unless you perform an action, you have already closed its tab, even if you are still reading an item's description. So a malicious request doesn't have to be performed while the shopping site is open, it can be performed any time later (as long as your browser can still identify itself to the site).

Web pages can't access each information other unless coming from the same origin (e.g. same domain) or explicit permission has been granted. Bug in the browser's behavior is possible but should be rare when it comes to enforcing policies. Keep your browser updated.

Browsers can have serious vulnerabilities labeled "zero-days", that would allow a website to take over your browser. Depending on the specific attack, complete access to saved login sessions and password is entirely possible. Escalations that took over the entire machine have been demonstrated and used many times. It suffices to visit a website and it would be totally invisible. The good news is that this zero-click zero-days are worth "a lot" (though in the Apple context, they are losing their value due to the great number of them) and are generally used only against very sensitive targets (think of politicians, national security issues, industry espionage). Committing a felony is not a reason good enough to waste a zero-day on someone, let alone stealing your CC.

Depending on how paranoid you are, you can:

  1. Visit the shopping site normally. You trust your browser to not be vulnerable to basic policy bypass (a rare event) and to zero-days (a quite probable event but not worth on you at all); You trust the site to not be vulnerable to certain attacks.

  2. Visit the shopping site and log out when done. You only trust your browser to not be vulnerable to zero-days. Even if the site is vulnerable or the browser policies are broken, without a login session the attacker could not target "you". Still, if you save your passwords they could be stolen by a zero-day (very very rare event).

  3. Visit the shopping site with a different browser and log out when done. You trust another (possibly hardened at the cost of UX) browser to not have zero-days vulnerabilities or not to have, in your whole software park, zero-days big enough to allow a rogue browser to take over the other applications. If you use a different browser, the attacker would need to escape any sandbox the OS put around the browser (if any).

  4. Avoid suspicious sites. You avoid the problem in the first place. It's impossible to avoid them all, especially because most popups auto opens. But serious attacks are targeted towards you. The usual popups on streaming sites just try to fool you, so don't worry about them, but if you find a sticker on your (and only your) door which read "visit whatever.com for free stuff!" it's best not to do so.

  5. Visit the shop in person. You only trust your person to not be vulnerable to the here-is-a-knife-gimme-yer-wallet attack.

I personally go with point 2 and never save the passwords of sensitive sites in the browser (use a password manager if needed).

Answered by Margaret Bloom on October 28, 2021

So if I wish to open "any" site on a new tab while doing my online shopping, is it safe

The same origin policy should prevent other sites from accessing your data in the online shopping site. That is assuming that the shopping site has no vulnerabilities that leak data (CSRF, XSS, XSSI, broken CORS, broken messaging, etc.).

Having only one tab open may mitigate some of the damage malicious sites could do. But with technology like serviceworkers, malicious sites may also be able to perform attacks even after you closed the tab. If you want additional security, you should use other mechanisms which are designed to separate different areas (e.g. private/incognito tabs/windows, different browsers, Chrome's browser profiles, or Firefox's multi-account containers).

Answered by tim on October 28, 2021

I do this to ensure any other websites that I open on new tab does not sneak into my credit card information. Is this even possible or just a myth?

That is simply not possible, because the browser doesn't allow such a request due to the same origin policy without the website explicitly stating it in their CORS headers; apart from that, credit card info isn't stored in the cookies but instead stored similar to passwords, that is if you use the inbuilt browser function to store the credit card details.

So if I wish to open "any" site on a new tab while doing my online shopping, is it safe or every time I have to clear cookies cache and open only 1 site?

No, you don't have to clear cache/cookies each time you open a new tab, that is assuming your banking website isn't vulnerable to CORS misconfiguration; even then your credit card info should be safe, but the website on the new tab would be able to perform an HTTP request to your bank if such a vulnerability is present. Hence use 2FA.

Answered by yeah_well on October 28, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP