This paper exposes critical security flaws in browser user profiles at the operating system level: mainstream browsers store sensitive authentication credentials, extensions, root certificates, and device permissions in plaintext or under weak protection within users’ home directories—bypassing HTTPS encryption and password-based safeguards. The authors formally define the browser profile as a primary attack surface for the first time. Through filesystem permission analysis, Chrome extension reverse engineering, PKI trust chain manipulation, and exploitation of the File System Access API, they demonstrate that malicious web pages can silently overwrite local profiles without user interaction—enabling root certificate injection, HTTPS traffic hijacking, and unauthorized access to cameras and GPS. Experiments confirm that, except for Tor Browser, all major browsers lack both confidentiality and integrity guarantees for their profiles. This work catalyzes industry-wide reevaluation and redesign of profile security architectures.

Web browsers provide the security foundation for our online experiences. Significant research has been done into the security of browsers themselves, but relatively little investigation has been done into how they interact with the operating system or the file system. In this work, we provide the first systematic security study of browser profiles, the on-disk persistence layer of browsers, used for storing everything from users' authentication cookies and browser extensions to certificate trust decisions and device permissions. We show that, except for the Tor Browser, all modern browsers store sensitive data in home directories with little to no integrity or confidentiality controls. We show that security measures like password and cookie encryption can be easily bypassed. In addition, HTTPS can be sidestepped entirely by deploying malicious root certificates within users' browser profiles. The Public Key Infrastructure (PKI), the backbone of the secure Web. HTTPS can be fully bypassed with the deployment of custom potentially malicious root certificates. More worryingly, we show how these powerful attacks can be fully mounted directly from web browsers themselves, through the File System Access API, a recent feature added by Chromium browsers that enables a website to directly manipulate a user's file system via JavaScript. In a series of case studies, we demonstrate how an attacker can install malicious browser extensions, inject additional root certificates, hijack HTTPS traffic, and enable websites to access hardware devices like the camera and GPS. Based on our findings, we argue that researchers and browser vendors need to develop and deploy more secure mechanisms for protecting users' browser data against file system attackers.