You can steal Chrome data (if you have local access)

[Danielx64]

Whenever someone reports a vulnerability that requires local access to a system, a discussion erupts about whether that is really a vulnerability that needs fixing.

One side argues that it is, considering that there are numerous ways that someone could gain local access to a device. The other side argues that it is not, as an attacker can do anything on the machine anyway with local access (at the user's level).

A issue in Chrome was revealed recently by Lior Margalit on Medium that allows anyone with local access to a system running Chrome to steal saved data from the user account.

A prerequisite to that is that the actual user needs to be signed in to a Google account. If that is the case, an attacker can use the method to steal any sync data from the account including passwords, form field data, bookmarks, or the browsing history.

What do you think? Is this really an issue that needs fixing?

 

[TrinitronMSDOS]

What do you think? Is this really an issue that needs fixing?

I wouldn't be too concerned as these kind of vulnerabilities are common and usual quickly fixed (Google have a good reputation for that). Anyway i think it proves that saving passwords in web browsers is not that good of an idea. Especially when there are so many good (and some free) password managers out there.

 

[Arequire]

The other side argues that it is not, as an attacker can do anything on the machine anyway with local access (at the user's level).

I'm firmly in this camp. If someone with malicious intent has physical access to your machine - and assuming they're not incompetent or time constrained - then the battle's lost. Ghack's advice about locking your system won't help either; all you need is a Linux distro on a flash drive the to reset the Windows password.

 

[Deleted member 65228]

I wouldn't be too concerned as these kind of vulnerabilities are common and usual quickly fixed (Google have a good reputation for that).

Sure about that?

If you save passwords with the web browser and not a password manager, it'll be easily stolen. Google Chrome uses a technique to "lock" but you can "unlock", and Mozilla Firefox encrypts the saved passwords except you can decrypt them using APIs they use themselves. Regarding other user accounts, you can access the browser data for them as well; you can exploit lsass.exe to grab credentials for other user accounts on the system, then use various APIs to impersonate the target user account with the stolen credentials, and then steal the browser data for that user, too.

Some of the years old methods for Google Chrome & Firefox still work to this very day. At the end of the day, the browser needs to read the data one way or another; therefore so can an attacker.

If your compromised, nothing stops an attacker from installing a keylogger and gaining credentials this way either. I don't think browser vendors are to blame, if you're infected then it's already game over, time to restart from scratch and try not to mess up.

 

[TairikuOkami]

If you save passwords with the web browser and not a password manager, it'll be easily stolen.

Indeed and not just locally, remotely as well. There is even no need to steal passwords, just hashes or cookies will do.

 

[TrinitronMSDOS]

Sure about that?

If you save passwords with the web browser and not a password manager, it'll be easily stolen.

Well i totally agree with you. And that's why i said in my original post "i think it proves that saving passwords in web browsers is not that good of an idea". What i meant by that is web browsers are reasonably safe as long as you don't use their integrated password managers.

Anyway thanks for detailed info, there was some technical stuff i didn't knew

 

[Deleted member 178]

Kali on live CD = system owned