Your web browser stores passwords and sensitive data in clear text in memory

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,151
Your web browser may store sensitive data, including usernames, passwords and session cookies in clear text in memory according to CyberArk security researcher Zeev Ben Porat.

Most Chromium-based web browsers appear to be affected, including Google Chrome. Microsoft Edge was tested for the weakness and it was affected by it, too. A quick test on a local Windows 11 system confirmed that browsers such as Brave and Mozilla's Firefox web browser are affected by the issue as well.

Physical access to the target machine is not required, as remote access or access to software that is running on the target machine is sufficient to extract the data. Extracting can be done from any non-elevated process that runs on the same machine.

While it is necessary for the user to enter credential data such as usernames and passwords before they can be extracted, Zeev Ben Porat notes that it is possible to "load into memory all the passwords that are stored in the password manager".

Two-factor authentication security may not be sufficient to protect user accounts either, if session cookie data is also present in memory; extraction of the data may lead to session hijacking attacks using the data.

The security researcher describes several different types of clear-text credential data that can be extracted from the browser's memory.
  • Username + password used when signing into a targeted web application
  • URL + Username + Password automatically loaded into memory during browser’s startup
  • All URL + username + password records stored in Login Data
  • All cookies belonging to a specific web application (including session cookies)Testing your browsers
The issue was reported to Google and it received the "wont fix" status quickly. The reason given is that Chromium won't fix any issues that are related to physical local access attacks.

Zeev Ben Porat published a follow-up article on the CyberArk blog, which describes mitigation options and different types of attacks to exploit the issue.
Click to expand...

How to test your browsers​

Windows users may use the free tool Process Hacker to test their browsers. Just download the portable version of the program, extract its archive and run the Process Hacker executable to get started.

Enter a username, password or other sensitive data in the browser that you want to test.
  1. Double-click on the main browser process in the process listing to display details.
  2. Switch to the Memory tab.
  3. Activate the Strings button on the page.
  4. Select OK on the page.
  5. Activate the Filter button in the window that opens, and select "contains" from the context menu.
  6. Type the password or other sensitive information in the "Enter the filter pattern" field and select ok.
  7. Process Hacker returns the data if it is found in process memory.

chrome-cleartext-passwords-cookie-data.png
Click to expand...
www.ghacks.net

Your browser stores passwords and sensitive data in clear text in memory - gHacks Tech News

Your web browser may store sensitive data, including usernames, passwords and session cookies in clear text in memory according to CyberArk security researcher Zeev Ben Porat.
www.ghacks.net
 
  • Like
  • +Reputation
  • Wow
Reactions: SeriousHoax, plat, TairikuOkami and 13 others
silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,151
CyberArk security researcher Zeev Ben Porat wrote another related article (sort of 2nd part):
www.cyberark.com

Go BLUE! A Protection Plan for Credentials in Chromium-based Browsers

In my previous blog post (here), I described a technique to extract sensitive data (passwords, cookies) directly from the memory of a Chromium-based browser’s [CBB] process. Google’s response to...
www.cyberark.com www.cyberark.com
 
  • Like
  • +Reputation
  • Thanks
Reactions: Deletedmessiah, oldschool, mkoundo and 6 others

Similar threads

[correlate]
    • Wow
    • Like
    • +Reputation
Proton Pass Retains Passwords in Cleartext Form in Memory
Replies
5
Views
1,930
News Archive
Ink
Ink
Xeno1234
    • Like
Question Can passwords and text messages be accessed on the web version of iCloud?
Replies
9
Views
515
General Security Discussions
Jengo
Jengo
vtqhtr413
    • HaHa
    • +Reputation
    • Wow
Security News US Credit Union Service Leaks Millions of Records and Passwords in Plain Text
Replies
1
Views
834
Security News
Freki123
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top