Extracting Clear-Text Credentials Directly From Chromium’s Memory

Topic

New Reply

https://www.cyberark.com/resources/threat-research-blog/extracting-clear-text-credentials-directly-from-chromium-s-memory

This research was initiated accidentally. After “mini-dumping” all active Chrome.exe processes for another research project, I decided to see if a password that I recently typed in the browser appears in any of these dumps. I was surprised to see that the password was stored, in clear-text format, at several separate locations in the memory of two of these processes..

Credential data (URL/username/password) is stored in Chrome’s memory in clear-text format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager (“Login Data” file).
Cookies’ data (cookies’ value + properties) is stored in Chrome’s memory in clear-text format (when the relevant application is active). This includes sensitive session cookies.
This information can be extracted effectively by a standard (non-elevated) process running in the local machine and performing direct access to Chrome’s memory (using OpenProcess + ReadProcessMemory APIs).
The extracted data can be used to hijack users’ accounts even when they are protected by an MFA mechanism (using the “session-cookies” data).
Sample session hijacking was “POC-ed” for Gmail, OneDrive and GitHub.
Similar weaknesses were seen in the Microsoft Edge browser (and will be found, presumably, in other browsers that are based on the Chromium engine)…

Go BLUE! A Protection Plan for Credentials in Chromium-based Browsers

In my previous blog post (here), I described a technique to extract sensitive data (passwords, cookies) directly from the memory of a Chromium-based browser’s [CBB] process. Google’s response to the responsible disclosure was discouraging, stating “Won’t Fix” since “there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your device as you” (here).

Where Are the “Secrets?”

Sensitive data is stored and processed by CBBs in different locations/process routes. To provide comprehensive protection for this data, one needs to address all of the following locations/processes:

Files on disk
Browser’s VM
Keyed-in data (from Keyboard)
SSL-encrypted messages on their way to the web
Information delivered by the browser (if you ask nicely)…

6 users thanked author for this post.

jburk07, Sky, KP, windbg, SB9K, Nibbled To Death By Ducks

Reply | Quote

Replies

From the article, it looks like the same exploit might NOT work on Firefox:

“I took this as an opportunity to briefly run my own test on Saturday using Google Chrome, the Ungoogled browser (Chromium clone), and the Firefox browser. For this I downloaded the tool Process Hacker for Windows from GitHub and used it to evaluate the memory contents.

“Here are the results of a short test:

Google Chrome: Passwords show up in plain text.
Ungoogled browser: Passwords show up in plain text.
I didn’t find any passwords in the search.”

https://borncity.com/win/2022/06/12/chrome-speichert-passwrter-im-speicher-im-klartext/#more-24837

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

7 users thanked author for this post.

jburk07, Sky, KP, OscarCP, windbg, SB9K, Alex5723

Reply | Quote