In the famous words of a canine scholar best known for his research into unexplainable phenomenon, "Ruh roh!" That about sums up our reaction to the discovery that Google's
browser may be storing sensitive data in such a way that it would be relatively easy for a malicious third party to dig it up and steal your identity, among other things.
Security researchers at Identify Finder
said they performed a series of deep scans on several employee computers using the latest version of Sensitive Data Manager (SDM). The scans revealed a bunch of Chrome SQLite and protocol buffers storing user information such as names, addresses, email addresses, phone numbers, bank account info, credit card details, and even social security numbers.
"We confirmed with each employee that sensitive data, such as social security and bank account numbers, were only entered on secure, reputable websites," claims Identity Finder
Your personal information is stored in here.
Chrome saved copies of the above mentioned data in the History Provider Cache, while other SQLite databases "of interest" include Web Data and History.
Since Chrome's browser data isn't protected, it would be relatively easy for a person to dig up the info with physical access to the system's hard drive, access to the file system (such as a shared network), or by using malware. That isn't just a theory -- the company coded a simple proof-of-concept malware designed to trick users into granting access to their file system.
So, what can Chrome users do? After entering in a credit card on a website and completing the transaction, you should "Clear saved Autofill form data," "Empty the cache," and "Clear browsing history" from the past hour. Alternately, you can disable Autofill or use Chrome's incognito browsing mode.