• Extracting Clear-Text Credentials Directly From Chromium’s Memory

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Extracting Clear-Text Credentials Directly From Chromium’s Memory

    Author
    Topic
    #2452802

    https://www.cyberark.com/resources/threat-research-blog/extracting-clear-text-credentials-directly-from-chromium-s-memory

    This research was initiated accidentally. After “mini-dumping” all active Chrome.exe processes for another research project, I decided to see if a password that I recently typed in the browser appears in any of these dumps. I was surprised to see that the password was stored, in clear-text format, at several separate locations in the memory of two of these processes..

    Credential data (URL/username/password) is stored in Chrome’s memory in clear-text format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager (“Login Data” file).
    Cookies’ data (cookies’ value + properties) is stored in Chrome’s memory in clear-text format (when the relevant application is active). This includes sensitive session cookies.
    This information can be extracted effectively by a standard (non-elevated) process running in the local machine and performing direct access to Chrome’s memory (using OpenProcess + ReadProcessMemory APIs).
    The extracted data can be used to hijack users’ accounts even when they are protected by an MFA mechanism (using the “session-cookies” data).
    Sample session hijacking was “POC-ed” for Gmail, OneDrive and GitHub.
    Similar weaknesses were seen in the Microsoft Edge browser (and will be found, presumably, in other browsers that are based on the Chromium engine)

    Go BLUE! A Protection Plan for Credentials in Chromium-based Browsers

    In my previous blog post (here), I described a technique to extract sensitive data (passwords, cookies) directly from the memory of a Chromium-based browser’s [CBB] process. Google’s response to the responsible disclosure was discouraging, stating “Won’t Fix” since “there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your device as you” (here).

    Where Are the “Secrets?”

    Sensitive data is stored and processed by CBBs in different locations/process routes. To provide comprehensive protection for this data, one needs to address all of the following locations/processes:

    Files on disk
    Browser’s VM
    Keyed-in data (from Keyboard)
    SSL-encrypted messages on their way to the web
    Information delivered by the browser (if you ask nicely)…

    6 users thanked author for this post.
    Viewing 0 reply threads
    Author
    Replies
    • #2452810

      From the article, it looks like the same exploit might NOT work on Firefox:

      “I took this as an opportunity to briefly run my own test on Saturday using Google Chrome, the Ungoogled browser (Chromium clone), and the Firefox browser. For this I downloaded the tool Process Hacker for Windows from GitHub and used it to evaluate the memory contents.

      “Here are the results of a short test:

      Google Chrome: Passwords show up in plain text.
      Ungoogled browser: Passwords show up in plain text.
      I didn’t find any passwords in the search.”

      https://borncity.com/win/2022/06/12/chrome-speichert-passwrter-im-speicher-im-klartext/#more-24837

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
      --
      "The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

      7 users thanked author for this post.
    Viewing 0 reply threads
    Reply To: Extracting Clear-Text Credentials Directly From Chromium’s Memory

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: