If I leave a website open on my computer, am I susceptible to hacking?
I have 128-bit WEP security on a single machine home wireless network.
It’s not at all uncommon to have browsers and websites open for lengthy periods of time, even when we walk away from our computers. I know I certainly leave several open for hours, if not days.
This may, or may not, be a security risk, depending on several factors.
Become a Patron of Ask Leo! and go ad-free!
The first thing to consider is simply this: is your computer safe? Not the websites, but the computer.
By that I mean if you walk away from your computer, is it safe or is it possible that someone could access and use or abuse your computer in some way while you’re not around? In a case like that, leaving a web site up and open is often the least of your worries, unless of course it’s your banking site and your roommate or someone else comes along and drains your account.
So, as I’ve said so often, if your computer isn’t physically secure, it’s not secure.
But that’s not really what you were asking about, though I’ll refer to it below again.
So, assuming someone isn’t going to walk up to your computer while you’re away…
In short, the answer is mostly no – you’re not susceptible to hacking by simply leaving a website open. But you still need to take care.
Most websites don’t do anything. By that I mean that the majority of sites simply display content when you first visit the page, and then quite literally don’t do anything else until you browse to another page. They don’t access your machine; they don’t run programs; they’re just static. It’s kind of like leaving a book open on a table. You can read the words, but the pages won’t turn themselves, nor will the book burst into flames by itself.
Now, things get slightly more complicated as the web gets more powerful. Let’s use GMail as an example.
If you leave GMail’s default view open, it will in fact periodically check for and display new mail. So, yes, the web page is “doing something”. The pages are turning themselves, in a sense. But still, this type of activity – while more and more common – is also typically benign. Websites that automatically update their content aren’t going to allow a hacker entry into your machine.
So even there, leaving a fairly powerful website open isn’t really a huge risk on its own. The content may update, but ultimately that’s just fine.
What about sites that display truly confidential information – like your banking site?
Even there, leaving it open for a long period of time isn’t exposing you to any additional risk. The site simply displays information, and then steps aside while you read it and decide what to do next.
There is risk, however, and it’s what I alluded to earlier. Anyone who can walk up to your machine while you’re logged into your bank’s web site can do whatever they want. Heck, even just walking by and seeing your personal information should be enough to concern you.
That’s why most secure sites like your bank will automatically log you out after you’ve not done anything for a while. They have to assume that it’s possible you’ve walked away from your computer, and they must log you out for your own safety.
But if you’re certain that your machine is safe – both virus-free (and if it’s not, then all bets are off whether you leave things open or not), and physically secure from someone walking up to the machine – then sure, leave sites open as long as you like.
I do it all the time.
If your page refreshes and you are on an unsecured website or unsecured connection, someone can come along with a packet sniffer and listen in on what you are doing…. I actually do this in my line of work, sniffing packets going through a network and measuring network health/etc and we can actually read all the data being sent back and forth if it is unencrypted.
If the page is sitting there doing nothing, u should be perfectly fine, but if its an unsecured site or connection and its refershing itself and you don’t want people to know what you are doing, you should most definitely exit the browser asap.
Example: the non https version of gmail on a hardwired network = sniffable/readable packets each time the page refreshes on its own.
Like Leo said, unless its a website that contains secure information such as banking websites- then it’s not a really big threat. Think about it – if you have a cable or dsl connection – you are always connected to the internet as long as your computer is turned on!
[link removed]
OK. I have for years stressed that it is important to log of the web whenever you leave your computer. This was what I believed and had been told. Now I must send this article to my dear wife, to whom I have preached most often and tell her that I was wrong and it’s actually OK…
Sigh.
Thanks Leo! I shall soon know the flavor of crow… ;)
05-Aug-2009
I was wondering the same thing this morning when I was using EBay. I guess what the original question was considering was if a “hacker” can find my open page floating out there on the internet if I just close my EBay screen and do not “Log Out”. If a hacker can find my open EBay screen which I did not log out of then I assume he could access “My Account” on the page and then “Modify My Account Settings” on the member page. The point I think Leo is making and that I probably am not seeing is that a hacker needs to “hack into” my computer via the web or into hack into EBay’s computer system via the web to actually find that page I left open. If this is the case then leaving a page open would be as secure as my own personal computer and my firewall settings protecting it from the outside [edited]. Many sites like bank sites “time out” I believe if you leave them open and do not use it or log out for a relatively short period of time. Still a little confused as to how secure my internet web sites might be if I do not “log out” every time. It does seem that all web sites at some time or antoher get hacked into — even banks. Maybe at that point not having logged out becomes a problem of vunerability. Good topic it seems.
I just left a comment on the article and decided to Buy Leo a Latte prior to closing the page. So I used PayPal and left $5 but then closed screen and “FORGOT” to Log Out of the PayPal site. So maybe that open PayPal screen which I did not log off of will teach me the truth about not logging off!! Someone else may be getting a few Lattes out of my PalPal if not logging off is a problem.
Well, not logging out does nothing but tell the cookie saved in your browser to auto log you back in on your next visit, all your info is still saved on that machine, nevertheless.
Also, having a site open DOES NOT keep a constant connection to the site you are on. There may be a timer running to “refresh” the content systematically like google (which uses last connect time in the cookie), but even then all the info is done locally and a tcp connection is open only when you are “accessing” the site and auto closes once the transaction is completed. You can leave it open as long as you want — it will connect/disconnect on its own if its made that way, otherwise it will sit there idle as the data is already on your machine.
The only threat is if someone comes by and actually reads it on your screen or if its an unsecured site, they can sniff the information on your local network AS the site refreshes… In that case, there’s nothing you can really do.. Sites will usually auto secure stuff that are personal, but unless you see the lock on the bottom/top of your browser telling you you are a secure page, your stuff is 100% visible to anyone who knows what they are doing, but only as you receive the data and not before/after.
I would be more concerned about the fact that you are using WEP instead of WPA for your wireless encryption. I hope you have a good firewall, since your network is simple to hack.
“I have 128bit WEP security on a single machine home wireless network.”
Everything you send/ receive can be read by anyone!!! WEP is not secure – anyone can hack into it and read data exchanged by you! No firewall will help you in this situation – you have to use WPA
I am just wondering if there is a way to keep the computer displaying what it was when you left it BUT preventing further interaction(by mouse, keyboard, et cetera) until you fill in a password. It would be a neat option…although not necessarily top-notch security-wise.
As for me, I use firefox and if I need to leave in a jiff and come back, I can make sure more than one tabs are open in the single window I run it in then close it but do NOT delete the data. I can then log out(winkey + L) — lowercase L. It has occurred to me, however, that the session data from firefox can be compromised…
I don’t know how accurately programs(in particular, sites visited on-line in firefox) can resume from a Lock or logging off.
OK. I read the article. Good stuff. But we just had an incident where a gambling site popped on to our computer overnight. It’s just me & the Mrs. So, assume for the moment neither of us sought the site out. We are on a cable modem. We are not wireless at all. We have only one pc. I run TrendMicroPro. The pc is set to hibernate after 15 minutes. I may have left it running on my home page when I went to bed. But it was hibernating when I got up. When I woke it up, the gambling site was on instead of my desktop. I know we contend with other nearby cable subscribers for bandwidth. Is it possible for someone to sit at the IP of a shared piece of cable company hardware “out at the curb” so to speak, and “push” URLs to downstream PCs?