Beware, this is how passwords saved in Google Chrome are stolen

When entering a new site, Google Chrome asks the user if they want it to save the password so that on future occasions the work of entering the data is saved, however, This action is not completely safe.

An analysis of the cybersecurity company, ESET, informs if storing the access credentials is safe and what are the risks of this option so that users know what they can face.

How are they and what are the attacks

The company pointed out that the greatest risk it presents is that if an attacker had access to the computer, they could easily get the passwords, crack them and steal them. This type of action has been observed several times through banking trojans whose mission is to steal access credentials to online banking sites to later commit fraud.

They ensure that the dynamics to obtain the passwords is simple:

“We started by trying to log into Facebook with a fictitious username and password. When prompted by the browser, we click the option for Google Chrome to save our credentials.”

once il username and password are stored in the Google Chrome database, you can search the file where the information is saved (this data will be stored in a SQLite3 database generally located in the address: %LocalAppData%GoogleChromeUser DataDefaultLogin Data).

Later the file is opened with a program that allows you to view databases (in the example: DB Browser for SQL Lite).

When opened with DB Browser, you can go to the “logins” option to find the entries with the login data, which include: URL, username and password. The stored password is encrypted, however, when you click on that field, the program shows its representation hexadecimal.

At that point, the attacker already has the user, the website and the encrypted password, so only the final step remains: decrypt it.

“To do this, it takes advantage of the fact of having access (physical or virtual) to the computer in question, since it is highly probable that the active user is the same one who previously saved the password, allowing the attacker to easily decrypt it using the function: CryptUnprotectData.

It should be noted that for basic security reasons passwords are not stored in plain text; that is, unencrypted. In contrast, on Windows systems, Google Chrome uses an encryption function provided by the operating system: CryptProtectData (Crypt32.dll).

According to ESET, all these steps can be performed by malware quickly and automatically. However, malware is not the only risk to be aware of, as there are multiple programs easily accessible through an online search who are capable of performing these same steps. This allows people with zero technical knowledge, but with physical access to the unlocked computer, can steal the credentials just like malware would.

“It is important to note that all the risks mentioned are limited solely to this mechanism, that is, the risk that the passwords stored there are stolen. Therefore, it is recommended not to use this functionality and, if you do, not to use it to store passwords for important services, such as online banking, social networks, medical portals, or those that contain personal information.

Exit mobile version