WebCull
En
Fr
Es
De

The Problem With Browser Bookmark Security

Published on March 11th, 2025 by Andrew Dear
Segment: Security

Modern web browsers store your bookmarks (favorites) in files or databases within your browser’s user profile directory on your computer even if you have sync on. Unlike passwords, these bookmark files are not encrypted – they are stored in plain text or simple database formats for quick access. For example, Mozilla Firefox keeps all bookmarks in an SQLite database. Google Chrome, Microsoft Edge (Chromium-based), and other Chromium browsers use a JSON-formatted file (commonly named “Bookmarks”) to save bookmark data. Apple’s Safari similarly saves bookmarks in a property list file (Bookmarks.plist) in the user’s Library folder. Additionally given that these bookmarks are stored in plain text, they are also vulnerable to being manipulated. In all cases, the bookmark data (titles, URLs, tags, and notes) are readable and not protected by encryption or a password.

Storing bookmarks in plain form is primarily a design choice for convenience, especially when transitioning between browsers. However, this convenience comes at a cost: any program or malware running under your operating system account can potentially access these files and read your bookmarks without needing any special permission or decryption key. In contrast, browsers often encrypt sensitive items like saved passwords or cookies with an OS-provided key but bookmarks incorrectly don’t get the same treatment.

Security Risks of Exposed Bookmark Data

Because bookmarks are stored unencrypted, they are vulnerable to unauthorized access by spyware, malware, or even legitimate applications that probe your browser data. A malware that infects your system can simply read the bookmark file or database and steal its contents. In fact, malware and hacker toolkits explicitly target browser bookmarks as part of the data they gather from victims. The MITRE ATT&CK database notes that “data saved by browsers (such as bookmarks) may reveal a variety of personal information about users”​ including “banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure”. Additionally it lists numerous threats that leverage bookmark data.

Procedure Examples:

  • APT38 (Lazarus Group - North Korea): Collects browser bookmark information to gather intelligence about compromised hosts, obtain personal user details, and identify internal network resources.
  • Calisto: MacOS-focused Trojan that steals Google Chrome bookmarks to uncover sensitive web portals or enterprise applications.
  • Chimera: Chinese-linked APT group that retrieves bookmarks from Windows user directories, particularly from Internet Explorer and Citrix environments, for corporate espionage.
  • Cuckoo Stealer: MacOS-based info stealer that collects bookmarks, cookies, and history from Safari for phishing and reconnaissance.
  • Empire: Open-source post-exploitation framework that steals browser bookmarks and visited sites for lateral movement and privilege escalation.
  • Fox Kitten APT: Iranian APT group that steals Google Chrome bookmarks to map internal corporate resources and privileged access points.
  • Lizar: Russian-developed malware that retrieves browser history and bookmarks for target profiling.
  • Machete: Espionage malware that retrieves user profile data, including bookmarks, from Google Chrome and Mozilla Firefox.
  • Moonstone Sleet (Russian APT): Russian-linked threat actor that deploys malware capable of capturing browser information.
  • SUGARDUMP: Malware designed to collect browser bookmarks and history as part of reconnaissance operations.
  • Volt Typhoon (Chinese APT): China-linked APT that targets network administrators’ browser data to identify critical infrastructure systems.

Source: https://attack.mitre.org/techniques/T1217/

These real-world examples show that bookmarks are actively being harvested in cyberattacks. In some cases, stolen bookmarks have been used to facilitate targeted phishing or intrusion. Once obtained, an attacker can analyze your bookmarks to learn your habits or to plan further attacks. For instance, an attacker with access to your bookmarks could see that you frequent a particular banking website and then craft a phishing email related to that bank. In an enterprise scenario, if an attacker finds bookmarks to internal sites or VPN portals, they gain clues on how to penetrate deeper into the network.

Additionally, the integrity of your bookmarks can be manipulated by malware. Because there’s no protection against modification, malware that infects a system can insert malicious bookmarks or alter existing ones. One documented attack method is to add a bookmark that looks benign but actually leads to a malicious site – effectively luring the user to click it later. There have been cases where invisible malware planted a bookmark in the browser; when the user eventually clicked it, it led to a malware-infested page that installed further malware​. Security researchers have shown that attackers could use bookmark synchronization features as a covert channel – for example, by inserting stealthy bookmarks that carry encoded data out of the network via the browser’s cloud sync​. Once malware has file access, it can also change a bookmarked URL to point to a lookalike phishing page (while keeping the familiar title), tricking users into a “two-step” phishing attack​.

In short, unprotected bookmarks present both a confidentiality risk (they can be read by unauthorized actors) and an integrity risk (they can be altered for malicious purposes).

Bookmarks as a Privacy Liability (Profiling and Tracking)

Outside of cyberattacks, your collection of bookmarks can pose a privacy risk if it falls into the wrong hands. Bookmarks often include an intentionally curated set of websites that you consider important – which means they can paint a detailed picture of your life, interests, and activities. A cybersecurity discussion on Stack Exchange noted that leaking your bookmarks“would let someone build a pretty good picture of who you are and your interests” including personal details inferred from your saved bank, shopping, or email site bookmarks​. For example, a glance at someone’s bookmarks might additionally reveal their union, frequent travel sites, health-related forums, favorite news sources, or hobby sites – information that could be used for profiling or social engineering.

From a tracking and analytics standpoint, an application or browser extension that can silently read your bookmarks could use them to profile you for targeted advertising or data mining. Unlike browsing history (which is a raw log of everything you visited), bookmarks represent intentional interests – sites you plan to revisit. This can be very valuable for profiling. An attacker or intrusive app could combine bookmark data with other information to create a comprehensive dossier on a user’s online life. In corporate settings, bookmarks might even include links to internal tools or project pages, which could expose company affiliations or projects. In one reported APT incident, stolen browser bookmarks were used to identify internal servers and resources in a target’s network​ – effectively using the victim’s own “favorites” to map out what to attack.

There’s also the risk of sensitive information in bookmark URLs. Some bookmarked URLs may contain query strings with identifiers or keys that are private. For instance, if you bookmark a web application while you’re logged in or viewing a specific record, the URL might include session tokens or database IDs. If an attacker obtains those bookmarks, they might glean information from the URL itself, or potentially reuse a still-valid token. As one security forum answer noted, a bookmark could inadvertently store an account ID or transaction number in its URL – data you wouldn’t want exposed publicly​. All of these concerns make it clear that bookmarks should be treated as personal data.

Convenience vs. Security

Easy access comes at a risk. Browser vendors have prioritized easy access to bookmarks for features like import/export and synchronization. The downside is that any program running under your account can equally access that data. A vivid example of the convenience trade-off is how browsers import bookmarks from each other. Because the bookmark files are readily readable, one browser can scoop up another’s bookmarks to help you “seamlessly” switch. In fact, Microsoft Edge was observed automatically importing users’ Chrome bookmarks, history, cookies, and other data on first launch without explicit permission in some cases​. This was intended to simplify setup, but it raised privacy alarms: Edge essentially read Chrome’s unencrypted data behind the scenes. Microsoft even synced that data to the user’s Microsoft account if logged in​, which would have potentially invalidated any end-to-end encryption the Chrome user might have established. While users can disable such features, the incident highlights that one application can freely read another’s bookmarks without consent or knowledge of it happening.

There’s an ongoing discussion about whether this status quo is acceptable. Some security researchers argue that browsers could do more, such as preventing outside programs from reading the bookmark file or at least encrypting the data. As of now, however, there is no industry standard requiring encryption of bookmark data at rest. Regulators have not specifically addressed browser bookmarks in privacy laws, likely because bookmarks are misunderstood as not as sensitive as, say, passwords or credit card numbers. However, under broad privacy regulations (like GDPR or CCPA), if an organization were to collect a user’s bookmarks, it would probably qualify as personal data. Some cloud-based bookmark platforms take a different approach by having no locally saved copies, ensuring they remain secure from local threats. Unlike traditional browser storage, these services never store bookmarks in an unencrypted state. For instance, WebCull encrypts bookmarks at rest, on device, and never stores bookmarks locally, greatly reducing attack vectors.

Logging Out Doesn’t Hide Your Bookmarks

A common but mistaken belief is that logging out of your browser profile removes or conceals your bookmarks on that device. In reality, bookmarks remain stored locally, fully visible, and easily accessible even after you've logged out. This issue becomes particularly troublesome when you sign into your browser profile on devices that aren't exclusively yours—such as a family member’s or a workplace computer. Your bookmarks, potentially revealing sensitive or private interests remain, in plaintext, and browsers provide very limited options to control or remove this local bookmarks upon logout. This oversight means that simply logging out is insufficient for privacy. Anyone subsequently using that device can see your bookmarks, posing privacy and security risks.

Misconceptions About Browser Sync Encryption

A common incorrect assumption is that enabling end-to-end encryption (E2EE) in a browser’s sync system means their bookmarks are fully protected. While it is true that some browsers, like Firefox and Chrome with a custom passphrase, encrypt bookmark data before syncing it to the cloud, this protection only applies to transmission and storage on the provider's servers. The reality is that even with E2EE enabled, bookmarks remain unencrypted at rest on the local machine. This means that any program, malware, or unauthorized user with access to the device can still read and extract bookmarks from the browser’s profile folder. This misunderstanding can create a false sense of security, in fact, they remain fully accessible on device, vulnerable to spyware, local attacks, or forensic data extraction.

Regulatory Risks of Storing Bookmarks Unencrypted with Personal Data

From an institutional standpoint, storing bookmarks unencrypted at rest could present serious GDPR or CCPA compliance violations if those bookmarks contain personally identifiable information (PII). Many bookmarked URLs, especially within enterprise environments, include metadata or query strings that contain sensitive user data—such as session IDs, usernames, account numbers, or even direct links to confidential records. If an organization retains such bookmarks without encryption, any unauthorized access, data breach, or forensic recovery of the file could expose private user data, making it a potentially reportable privacy incident under GDPR. Under these regulations, companies are required to protect user data with appropriate security measures, and failing to encrypt or restrict access to stored bookmarks could be interpreted as negligence in safeguarding PII. In the event of a data breach, organizations could face hefty fines—up to €20 million or 4% of global revenue under GDPR, and similarly significant penalties under CCPA. This underscores the legal and financial risks of treating bookmarks as trivial, when in reality, they can contain highly sensitive user information.

Given these realities, it’s clear that bookmark security deserves greater attention both from individual users and organizations. The common misunderstanding around browser-based end-to-end encryption highlights how crucial it is to distinguish between cloud protection and local vulnerabilities. Institutions especially must recognize the significant legal and regulatory risks involved in storing bookmarks containing personally identifiable information (PII) without encryption. Until browsers adopt stronger security measures, users and organizations should proactively consider secure alternatives—like cloud-based bookmark managers that ensure bookmarks remain encrypted and isolated from potential threats—to safeguard personal data and maintain compliance with privacy laws like GDPR and CCPA.

Subscribe to the WebCull Blog

Receive updates on new posts and other news.

WebCull Blog An alternate WebCull logo Lets explore the world and web together.

Learn how organization reduces stress, enhances cognition, and boosts efficiency in both physical and digital spaces.

Read More

Web browsers store bookmarks in plain text, making them vulnerable to malware, unauthorized access, profiling, and potential regulatory risks.

Read More

Enable end-to-end encryption before syncing to prevent unencrypted backups. Encryption isn’t retroactive—protect your data from the start.

Read More

An analysis of cross-browser syncing, covering user needs, current solutions, challenges, and potential future developments.

Read More

Explore how AI research tools like OpenAI’s Deep Research, xAI’s Grok, and Google’s Gemini significantly accelerate fact-finding and professional workflows.

Read More

Organize and sync bookmarks across devices for seamless access and productivity.

Read More

Private bookmark managers streamline collaboration by providing secure, organized link repositories. Discover market needs, essential features, and subtle WebCull advantages.

Read More

A cluttered UI overwhelms users, while clean design enhances usability, reduces frustration, and boosts productivity by eliminating unnecessary distractions.

Read More

Discover how ChatGPT's new search capabilities could reshape the future of information retrieval, challenge traditional search engines, and redefine SEO strategies for a new AI-driven world.

Read More

Explore the evolution of hyperlinks and bookmarking, from early web browsers to modern tools like WebCull, focusing on advancements in synchronization, privacy, and productivity features that enhance user experiences across platforms.

Read More

Why low pricing often backfires in business, especially in B2B. It highlights the importance of aligning prices with value, reliability, and growth, and offers alternatives like tiered and value-based pricing for sustainable success.

Read More

This overview examines browsers with and without end-to-end encryption (E2EE) for syncing bookmarks, highlighting the importance of E2EE in ensuring that bookmarks are encrypted on the user’s device and can only be decrypted by the user, protecting them from unauthorized access.

Read More

This blog explores the technical intricacies of bookmark synchronization between devices, focusing on the impact of different sync patterns—Mirror, Difference Checking, and Ledger—on system reliability and security.

Read More

Data protection regulations like GDPR impose strict requirements on the integrity of all software tools within an organization’s ecosystem. End-to-end encryption (E2EE) in web management tools, such as bookmark managers, is vital for ensuring that even ancillary data is protected.

Read More

Web bookmark tools with cross-platform synchronization capabilities like WebCull can revolutionize workflow management in various professional settings.

Read More

Managing documents on Google Drive often becomes chaotic as the volume of content increases. WebCull’s bookmark manager introduces a sophisticated method of organizing links to essential Google Docs, Sheets, and Gmail resources, creating a streamlined and efficient workspace.

Read More

Efficient resource management boosts team productivity. Shared cloud folders centralize access, and WebCull enhances this with synchronized updates, advanced search, and user role management, ensuring seamless collaboration.

Read More

Bookmark managers should be called link organizers. They offer more advanced features than browser bookmark managers, like syncing across browsers, advanced organizational tools like multi-select and collaboration tools.

Read More

Understand E2EE (End-to-End Encryption) and its role in protecting your data, its applications, challenges, and impact on privacy and businesses.

Read More

WebCull offers end-to-end encrypted bookmark management. Encrypt Bookmarks using AES-256-GCM for robust security. Bookmarks are encrypted on your device before reaching the servers.

Read More

The article stresses the importance of detailed documentation in preventing project delays, advocating for collaborative practices and modern tools like WebCull for effective document management. It highlights that proper documentation aligns teams with project goals, improving efficiency and success.

Read More

This article presents five indispensable color palette tools for web design and development, highlighting features that enhance visual appeal, user experience, and accessibility, serving as a resource for designers.

Read More

Exploring strategies to overcome design creativity blocks, balancing innovation with trends, and organizing inspiration for enhanced creative endeavors.

Read More