Lots of people use their browser to save their passwords, but most browsers store your sensitive data, including usernames, passwords and session cookies in plain text (not encrypted).
Most Chromium-based web browsers are affected, including Google Chrome and Microsoft Edge. A quick test on other browsers such as Brave and Mozilla’s Firefox conforms that these browsers also storing this data insecurely in plain text as well.
Physical access to your machine is not required, as remote access or access to software that is running on the target machine is sufficient to extract the data. Extracting can be done from any non-elevated process that runs on the same machine, such as any browser extensions or other installed apps your have installed.
While it is necessary for the user to enter credential data such as usernames and passwords before they can be extracted, Zeev Ben Porat notes that it is possible to “load into memory all the passwords that are stored in the password manager”, in fact this is exactly what password managers such as LastPass, 1Password, Dashlane etc do in order to import all your browser passwords for you.
Two-factor authentication security may not be sufficient to protect user accounts either, if session cookie data is also present in memory; extraction of the data may lead to session hijacking attacks using the data.
A Cyberark security researcher describes several different types of clear-text credential data that can be extracted from the browser’s memory.
- Username + password used when signing into a targeted web application
- URL + Username + Password automatically loaded into memory during browser’s startup
- All URL + username + password records stored in Login Data
- All cookies belonging to a specific web application (including session cookies)Testing your browsers
The issue was reported to Google and it received the “wont fix” status quickly. The reason given is that Chromium won’t fix any issues that are related to physical local access attacks.
Zeev Ben Porat published a follow-up article on the CyberArk blog, which describes mitigation options and different types of attacks to exploit the issue.
How to test your browsers
Windows users may use the free tool Process Hacker to test their browsers. Just download the portable version of the program, extract its archive and run the Process Hacker executable to get started.
Enter a username, password or other sensitive data in the browser that you want to test.
- Double-click on the main browser process in the process listing to display details.
- Switch to the Memory tab.
- Activate the Strings button on the page.
- Select OK on the page.
- Activate the Filter button in the window that opens, and select “contains” from the context menu.
- Type the password or other sensitive information in the “Enter the filter pattern” field and select ok.
- Process Hacker returns the data if it is found in process memory.
I highly recommend using a proper password manager rather than storing your passwords in your browser, which encrypts all your data and protects your passwords with 2 factor authentication.