Browsers communicate with servers, other computers and systems. They also send and receive data, which means that they can receive data that may damage your computer. In this article, we explain how this can happen.

Security gaps

Browser providers strive to make their programs as secure as they can, but achieving 100% perfect security is an impossible task. Browsers may contain vulnerabilities that can be exploited by attackers. Attacks have two strategies for discovering these: first, they can wait for the manufacturer to publish an update (also called a 'patch') that resolves the vulnerability, which points them in the direction of weaknesses in the browser that they can exploit. This method is typically successful because many users forget to install browser updates.

Alternatively, the attackers may proactively search for vulnerabilities that will enable them to penetrate a computer system. These vulnerabilities may be exploited for a number of purposes, including so-called drive-by downloads. With this method of attack, the cyber criminals hide malware on websites. The program leverages the vulnerability to load itself onto the user's computer when the website is visited. Often, this kind of malware is used to obtain data or to damage the targeted computer.

Malware and dangerous links

The most well-known threats on the internet are viruses, trojans and spyware. There are countless ways for criminals to load these programs onto the computers of potential victims. Plugging in a USB stick without thinking, or downloading a free version of content that you would normally need to pay for, can later prove to be a costly mistake. E-mails are frequently used to send this kind of software. Victims receive a harmless e-mail, notifying the recipient about a false lottery prize. They then click the link to claim their prize and this starts the download. On top of that, there are other types of malware that can install themselves.

Downloading a virus or trojan can have far-reaching consequences. In the best-case scenario, the victim may see some unwelcome advertisements; in the worst cases, they may suffer significant financial or emotional damage. The spectrum of criminal offences involved in a malware infection is very broad, including espionage, bullying, IT damage, online theft, encryption of data with the intent to blackmail, fraud, data loss, identity theft or defamation.

As this diagram shows, criminals invest a great deal of time and effort in the development and dissemination of malware. In 2018, over 390,000 malware variants were created each day. The total number of malware programs in circulation was over 800 million.

Advertising banners and pop-ups

Showing advertisements at the edge of the screen is a common way to finance web content. But criminals can hijack this advertising space and use it to link to malware. As soon as a user loads the page, the malicious software is downloaded to their computer, infecting it without their knowledge. Damaging advertisement banners are not limited solely to dubious or unknown websites. Criminals often misuse banners on popular pages to increase the number of victims. Page owners have very little control over the content of these banners, as the advertising space is managed by external providers.

Pop-ups are windows that appear in your browser to display warnings, advertisements or additional information. However, pop-ups can also be used to direct you to damaging downloads or websites. If you click on a malicious link, your system may be infected. If a pop-up window asks you to update one of your programs even though you have activated automatic updates, this is a sign that the download may be malicious. It is usually possible to block pop-ups completely by changing your browser settings.

Active content

Java is an object-oriented programming language that allows programs to be directly integrated and run in a browser across a variety of platforms. Java is a popular target for attacks and misuse. The BSI recommends that users deactivate the execution of Java applications within the browser. Read more in the text about the security of Java.

JavaScript is a script language based on Java. It is used for a number of purposes, including to check data entered in forms on websites. You cannot tell whether or not JavaScript is active on a website just by looking at it. JScript, which is a variant of JavaScript, has an option to address ActiveX controls. Once these have loaded on the computer, the controls have the same rights as an installed program and offer attacker many opportunities to manipulate the system. which results in a significant risk to the user. Many browsers allow users to block JavaScript. Doing so reduces the risk, but can also mean that some web elements no longer work.

Java and JavaScript are classed as active content, which refers to small, executable programs within a browser. Because they are executable, they can be abused by attackers to install malware on your computer. Read more in the text 'Active Content' about how it can become a security risk in your browser.

The data that your browser accesses to compile the website that you wish to display often includes invisible program components or scripts. These are responsible for different functions like animated menus or videos and are known as active content. The most well-known types of active content are Java, ActiveX controls, JavaScript/JScript and Flash/Silverlight.

The user cannot tell which functions are linked to the active content simply by looking at the website displayed in the browser. There is a risk that some of the active content could be linked to malware. Different types of active content can all do damage in different ways:

Java

Java programs executed in the context of a website are also known as 'Java applets'. When you access the website, the applets are downloaded and run on your PC. The Java applets run just like a program that has been directly installed on your computer.
Java applets cannot normally access local data without your permission. However, if a criminally minded page owner manages to obtain your permission by deception, or if there are errors in the implementation of the Java virtual machine, it may be possible for cyber criminals to gain unrestricted access to your computer and your data regardless.

ActiveX controls

ActiveX is a technology developed by Microsoft and used in Internet Explorer. The ActiveX elements, which can be integrated into websites as active content, are known as ActiveX controls. These controls are used, for example, to display videos and music, but also for more complex content such as stock tickers. Unfortunately, this technology is often misused as a channel for distributing malware.
This is easy for criminals to do as there are no comprehensive security policies in place. There are signed ActiveX controls, but the signature only confirms the identity of the originator of the ActiveX control. Once the ActiveX program is running, its functionality is completely unrestricted. The ActiveX program has access to all the rights of the logged-in user.

JavaScript/JScript

JavaScript is a script language based on Java. A script language is a programming language that the user has access to in text format; it is then executed by a special "translation program" (known as an interpreter). JavaScript was specially developed by Netscape for use as active content on websites. It is used for a number of purposes, including to check data entered in forms on websites.

Like Java applets, active content written in JavaScript can end up on your PC more or less without your knowledge. You cannot tell exactly what is hiding on a website by looking at it, which results in a significant risk to the user. There is also a risk of JavaScript errors arising in the implementation.

In the JScript variant of JavaScript, which Microsoft developed for Internet Explorer, there are functions that can cause major damage to a user's computer if they are misused. For example, JScript offers the option of running ActiveX-Controls which, once loaded on the computer, possess the same rights as a locally installed program.

Flash/Silverlight

Adobe's software "Flash Player" and Microsoft's "Silverlight" are used to display interactive content and applications (such as interactive presentations, games or entire websites). As Flash and Silverlight display content via their own plug-ins, they may contain vulnerabilities that could be exploited to attack your computer and install malware. These vulnerabilities could also be exploited by attackers to access your webcam or the microphone on your computer.

Cookies and fingerprinting

While not necessarily a security risk, cookies - small files that store information about your visit to a website on your computer - do pose a potential data protection problem. If you visit a website for a second time, the information stored on your computer is accessed. You might notice that a cookie has been used if you visit a website where you had previously entered information into an online order form, and find that it is already populated with your data on your next visit. In your browser options, you can configure whether you want your browser to store cookies, which websites you want to allow cookies from and when these cookies should be deleted.
As cookies are not executable programs, they are not a direct security risk. However, they are still a potential source of problems: Cookies are also used to tailor websites to your personal preferences. In order to achieve this goal, they can create a very detailed user profile for you, which can be problematic. Companies may use cookies to display targeted advertising.

Fingerprinting

The purpose of fingerprinting is similar to that of cookies. Their aim is to track and measure the online actions of users. The collected data is used to create detailed profiles, which in turn can be used to determine which products a person may be interested in or which social environments they interact with. Fingerprinting is more effective than cookie technology because it allows users to be tracked across different browsers.

It collects the user's IP address, browser data and operating system information, as well as their time zone and the fonts, system language and display resolution they use. The fingerprint may even contain information on whether the user has an ad blocker activated and, if so, which one. The combination of all of this information generally produces an individual profile that can be precisely linked to a specific user.

Two types of cookies

There are two types of cookies: Permanent cookies and session cookies. Permanent cookies remain on your computer for months or even years, if they are not manually or automatically deleted. Session cookies, on the other hand, are automatically deleted when you close your browser. This is the kind of cookie that banks use for online banking. These cookies are not a security risk. Permanent cookies are more problematic. This type of cookie can log user behaviour over extended periods of time, recording information such as the products the user searches for in online shops.

Cookies on public computers are also a potential risk. Some social networks use cookies to keep users logged in if they close their browser at the end of the session without actively logging out. If this happens, the next person to use the public computer will be able to access the previous user's profile and potentially cause damage.

Cookies from third-party providers

In general, websites can only read cookies that they placed on a user's computer; Online shop A cannot read cookies that were placed by online shop B. However, there are also third-party providers, such as advertising agencies, who place advertising banners on various websites. These advertising banners sometimes place their own cookies. If a user happens to visit three different websites with the same advertising banner cookie, the advertising agency can, in theory, use its cookie to determine which three sites the user visited. This gives them a very comprehensive portfolio of data on a person's browsing behaviour. For this reason, cookies from third-party providers are considered problematic by data protection authorities.

Browser hijacking

The phrase "browser hijacking" refers to the redirection of browser requests to third-party webpages. If your browser is hijacked, you will usually end up on an advertising site instead of your own homepage or the web address you entered.

Browser hijacking attacks are executed by small programs that take control of your browser. Although they don't inflict direct damage, they are annoying and can be difficult to remove. The search field in your browser can also be misused for this purpose; instead of taking you to the search results for the phrase you enter, your browser will show you an advertising page. Your favourites/bookmarks might also be modified, or you may find that new entries are added.

Browser hijackers exploit vulnerabilities in the operating system or in applications - and once they're in, they can be very difficult to get rid of.

Users

Users are still one of the most important routes of entry for attackers seeking to penetrate an IT system. Manipulation, falsified documents and confusion are often at the route of harmful hacker attacks. To make sure that you don't fall victim to social engineering, always apply common sense when using the internet.

For example, think carefully before clicking on links or opening e-mails; check the source whenever you want to download something, and review your own system security on a regular basis. Surfing the internet using a browser can be risky. But if you understand the risks and know how to counteract the threats you face, you can surf the web more securely.