August 5, 2024 by @DKob

A wise person once said: "Convenience comes with a price." Today, I will illustrate the high costs and risks associated with saving your passwords. Whether it's your bank account or social media profiles, the risk of losing access can be immediate and severe. Let's explore this issue in depth.

<aside> <img src="https://prod-files-secure.s3.us-west-2.amazonaws.com/b0edf093-4014-4603-af27-b4044f283218/f0b3ca88-b7aa-43de-bf19-6fa8f7ad4025/Schneier.jpg" alt="https://prod-files-secure.s3.us-west-2.amazonaws.com/b0edf093-4014-4603-af27-b4044f283218/f0b3ca88-b7aa-43de-bf19-6fa8f7ad4025/Schneier.jpg" width="40px" />

"Security is a process, not a product. Too often, security is sacrificed for convenience.”

~ Bruce Schneier

</aside>

Is this prompt familiar?

By selecting 'Save,' you are storing your password locally, rendering it vulnerable to theft. Technically speaking, this poses several critical concerns; Although passwords are stored in an encrypted format, several significant issues persist:

• The password file, an SQLite database, is located in an easily accessible and unprotected directory: C:\Users\<User Name>\AppData\Local\Google\Chrome\User Data\Default\Login Data.
• The encryption key 🔑 for these passwords is stored in a readable file: C:\Users\<User Name>\AppData\Local\Google\Chrome\User Data\Local State. With a basic understanding of AES cryptography, this key can be exploited.

In essence, AES cryptography employs symmetric encryption, where the same key is used for both encryption and decryption. Since the key stored in the 'Local State' file is easily accessible, decrypting the stored passwords becomes relatively straightforward. By combining this key with an Initialization Vector, all saved passwords can be decrypted entirely.

The sequence of steps for decrypting the passwords is as follows:

1. Locate the file containing the encryption key.
2. Locate the DB/File containing the encrypted passwords.
3. Apply the AES cryptographic principles.
4. Decrypt the saved passwords.

Here is a video demonstrating the issue:

videoplayback.mp4

Password decryption can be performed manually using a series of commands or automated through a custom-developed script. A proof-of-concept (PoC) code is provided below. This issue is not new; however, recent techniques, such as Chrome memory forensics, have emerged for stealing passwords stored in web browsers. It is also important to note that this issue affects not only Chrome but also other browsers, including Firefox, Edge, and many others.

The only way to protect yourself from this flaw is to avoid saving your passwords in the browser. (Never do it) If you are concerned about forgetting your passwords, consider using a reputable password manager or, alternatively, do it the old way by writing them down on paper and store it securely at home. Ensure that your passwords are sufficiently complex.

Stay safe, secure, and most importantly, vigilant.

<aside> ⚠️

Disclaimer: This script is intended for educational purposes only. The use of this script for any unauthorized access, hacking, or harm to individuals, systems, or data is strictly prohibited. The creators and distributors of this script assume no responsibility for any misuse or illegal activities that may arise from its use. Always ensure you have explicit permission before using this script in any context and adhere to all relevant laws and regulations.

</aside>

PoC on GitHub

GitHub - Dragkob/ChromePassHack_PoC: Proof of Concept: Decrypting Chrome Passwords

Join my Discord Server

https://discord.com/widget?id=1274747108083109918&theme=dark

My Socials

https://www.instagram.com/dragkob/

https://www.youtube.com/@dragkob