this post was submitted on 11 Apr 2024
5 points (100.0% liked)
Browsers
729 readers
1 users here now
About Community
This is the community to discuss about browsers.
Browsers List
Open Source browsers
Closed Source browsers
- Vivaldi
- Microsoft Edge
- Opera
- Chrome (Not recommended)
List will be updated
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
They are encrypted and the encryption is just fine. The problem is that the key is stored locally on your system and can be used to decrypt them automatically. And crucially, that key is not encrypted, it's just encoded in a well known format (base64). This means that it's trivial for an attacker's script to retrieve them, use that key to decrypt them and send them up to the attacker's Command and Control (C2) server. As an analogy, imagine having the world's best lock on your front door, but you have the key under your door mat. The lock counts for fuck all, because any thief who isn't a complete moron will look under the mat.
You can actually see this in action for yourself, without your passwords being sent to an attacker. NirSoft has a tool called ChromePass which will retrieve and display passwords saved in Chrome. If I run this on my own system, I get something like:
And this works whether or not the browser is running. So, if you get phished, or get hit by an unpatched vulnerability, any password you have saved in your browser is now in the hands of an attacker. And this happens in the first few seconds of an infection. It only takes one mistake and they are gone. And, while we all like to think that we are immune to phishing or mistakes like that, we all fuck up. It happens. This is why we plan for "defense in depth". Keeping your passwords out of a browser means that, when you make that mistake, they don't end up in the hands of attackers.
Wow! That's not even encrypted O_0 Does every browser just "encode" password lists like that?
Bth NirSoft tools are just great. Lost passwords and many other things. Anyway, thanks for the infos!
It's the decryption key for the encrypted passwords which is encoded (I know confusing). But, they may as well not be encrypted for all the good it's doing you.
Off the top of my head, Chrome does this. MS Edge, which is Chrome with a blue coat of paint, does. Opera is Chrome with red paint, so it's almost certainly base64 as well. Brave browser is Chrome with orange paint.... You get the idea, lots and lots of "independent" browsers are just Chrome (ok technically, Chromium, the open source version of Chrome) which mean they inherit all it's faults. I don't know the scheme Firefox uses, but it's similar enough that recovering passwords is equally as trivial. Here is the tool for that.
The long and short of it is that any system for storing passwords which doesn't have you using some sort of "master password" to unlock the vault, is storing the password locally in a way which is going to be well known and easy for an attacker to reverse. Technically, hardware solutions like smartcards and YubiKeys can also be used in place of passwords; but, that's a whole different area of discussion. Sadly, when things are really convenient, they are usually also really insecure.
Thanks again for all the insights!