Anyone can steal all of chrome saved passwords, form fields, bookmarks, history (opens in new tab)

(medium.com)

32 pointsjimsperry8y ago19 comments

19 comments

The bug response was laughable "yes with unrestricted acess to an account you can steal data from it".

This makes it sound like "with enough time and patience anything is possible"

But the steps described aren't even what i would call a hack. You could do them by accident if you were trying to log in to your own account under someone elses computer using chrome, in less than a minute if you're quick. It requires no technical knowledge and can be done with time to spare during someone's bathroom break.

Here's the process in a nutshell:

1) logout of their account in chrome.

2) login to you're account

3) lie and say you were the previous per person

This isn't a hack. There is no hack! This is a very small step above the "honor system" as your security!

jogjayr8y ago

Given the number of people I've seen step away from their desks without locking their machines (in the tech industry, no less)...I don't think "hack relies on physical access to the machine wontfix" is an entirely reasonable response from the Chrome team.

Maybe they could make you enter the system password for this action too like they did with saved passwords (earlier, saved passwords were visible in plaintext but now you have to enter the system password to see them)

ineedasername8y ago

It's not at all a reasonable response. A small bit of malware could eliminate the need for physical intervention: programmatically logout, login with the thief's account to sync, then log that one out too.

The response smacks of an attitude that "once a machine is even a little compromised it's not our responsibility what happens. Physical access is a compromise, therefore we don't have to fix our own loop hole."

This is like a safe company saying, "Well, of course someone that breaks into your house can also open the safe by saying, I'm the owner out loud."

Communitivity8y ago

This is not a new phenomenon, though the ease of the exploit might be new. I remember a while ago you could go in SQLite and look at the file Firefox stored all the saved passwords in, for any user. That exploit was fixed, and this one likely will be as well. I agree with other commenters, the most disturbing thing about this is the blase attitude of the response.

hlieberman8y ago

Mmm. You still can, if there's no master password enabled. But that's a distinct issue from this. Here, you're going from a state that should be entirely safe ("signed out"), to retrieving all of the secrets that are held.

Because Firefox doesn't have sign-in and sign-out like Chrome does, the principle of least surprise kicks in.

smn12348y ago

that's a walkthrough anyone can follow.

When the barrier to entry for "hacking" credentials and sensitive information is so low, the world's really in trouble...

stcredzero8y ago

It's the thats-not-my-problem response that worries me the most.

yegle8y ago

When an attacker can gain access to your unlocked computer and have time to logout/login your browser, you should not expect anything on the desktop is safe. Personally I don't see this as a security bug.

stcredzero8y ago

They should at least have to go to an effort commensurate with installing a keylogger or something like that. Just navigating a few windows to get to see your passwords -- that's just wrong. Anything that has what's supposed to have a secure login shouldn't be exposing passwords like this.

rasz8y ago

You do not need any passwords to import all of it (Cookies/Passwords) if you are already logged in. Chrome uses Windows DPAPI to encrypt it on the disk, its automagically decrypted when logged in.

ineedasername8y ago

This "hack" takes all of a minute and provides access not to the data on the desktop, but to every website or web based login used, if the user relies on chrome for such things. This isn't "if a thief is physically in your data center you've already lost". This is "I went three doors down to the vending machine for a soda and Oh My God they got my bank account credit cards and all my social media"

liormarga8y ago

But this is not an attacker this is anyone you don't need to compile dll When you got one computer with several passwords to google accounts you can than sync them to your chrome browser and so on you can steal millions of google accounts and sync it to one malicious account. people probably doing it right now :(

jimsperryOP8y ago

Was this reported to the Chrome bug bounty program? https://www.google.com/about/appsecurity/chrome-rewards/

1 more reply

cjcampbell8y ago

Would be interesting to know whether this works when a passphrase is set up to encrypt the stored data.

rasz8y ago

or you could just import all of it with one small command line program without even popping GUI on the screen? Doable in 3 seconds with a pendrive. This is a non story, autor somehow thinks his own computer should fight him.

osiutino8y ago

They should force users to retype their password for logging out

liormarga8y ago

The thing is that even if you are logged out like most of the people every thing is saved in the default profile so when you logging in to chrome you just take all the passwords , think about college computers farm or public computers ....

ineedasername8y ago

Or a simple bit of malware that automates the process so the thief doesn't even need to be physically present!

j / k navigate · click thread line to collapse

19 comments

ineedasername8y ago

The bug response was laughable "yes with unrestricted acess to an account you can steal data from it".

This makes it sound like "with enough time and patience anything is possible"

Here's the process in a nutshell:

1) logout of their account in chrome.

2) login to you're account

3) lie and say you were the previous per person

This isn't a hack. There is no hack! This is a very small step above the "honor system" as your security!

jogjayr8y ago

ineedasername8y ago

This is like a safe company saying, "Well, of course someone that breaks into your house can also open the safe by saying, I'm the owner out loud."

Communitivity8y ago

hlieberman8y ago

Because Firefox doesn't have sign-in and sign-out like Chrome does, the principle of least surprise kicks in.

smn12348y ago

that's a walkthrough anyone can follow.

When the barrier to entry for "hacking" credentials and sensitive information is so low, the world's really in trouble...

stcredzero8y ago

It's the thats-not-my-problem response that worries me the most.

yegle8y ago

stcredzero8y ago

rasz8y ago

You do not need any passwords to import all of it (Cookies/Passwords) if you are already logged in. Chrome uses Windows DPAPI to encrypt it on the disk, its automagically decrypted when logged in.

ineedasername8y ago

liormarga8y ago

jimsperryOP8y ago

Was this reported to the Chrome bug bounty program? https://www.google.com/about/appsecurity/chrome-rewards/

1 more reply

cjcampbell8y ago

Would be interesting to know whether this works when a passphrase is set up to encrypt the stored data.

rasz8y ago

osiutino8y ago

They should force users to retype their password for logging out

liormarga8y ago

ineedasername8y ago

Or a simple bit of malware that automates the process so the thief doesn't even need to be physically present!

j / k navigate · click thread line to collapse