Wednesday, September 24, 2008

Google Chrome stores plain text passwords….sort of.

My interest was of course piqued when Google announced they would be entering the browser realm, with Chrome. One of the things that has always interested me is the way different programs store passwords. While we are still working on decrypting the Chrome passwords from an imaged drive, I did make an interesting discovery about Chrome storing plain text passwords. Chrome is reliant on several files under the following paths

(dependent on OS):


Documents and Settings/User/Local Settings/Application Data/Google/Chrome/


Users/App Data/Local/Google/Chrome/

As it turns out, if you visit a site that does not require you to log in via https or any variety of other secure methods, Chrome will create a cookie, which can be found in the file “Current Session” under Chrome/User Data/Default. Within that file will be a plain text cookie with your login name and password. If the site requires https, you can still view the log in, but the password is encrypted. However, there is one neat twist to this. If you log in with an incorrect password, even from an https site, the password is still saved in plain text. Using this information, you may be able to make an educated guess on what the actual password was. You can open the file with any text viewing program, or a Hex editor program.

This password recovery method unfortunately only works if, during the last instance of the browser being opened, the person typed in their password when prompted at a site that does not use a secure method to log-in. I also created a slide show presentation, which is can be found here, detailing the steps and data that can be viewed within Chrome.

As always Thoughts/Comments/Questions?


pkasting said...

This was the result of Chromium's session restore code saving form post data, which contained the password. On our trunk, we now no longer save post data in session restore, precisely to prevent this case.

Anonymous said...

Designer talent has always been a prime focus of the replica handbags Company. After announcing a merger with designer Moet Hennessey in 1987, the fashion house partnered with acclaimed designer Marc Jacobs. Patrick Vuitton continued to supervise operations. In the new millennium, designer bags continues to bring in millions of dollars in profits each year, as demand remains steady for louis vuitton luxury purses and accessories. Rivaled by such top brands as Fendi, Gucci, and Prada, louis vuitton handbags remains a fashion icon throughout Africa, India, Japan, China, and Korea, in addition to the United States.

xiamenb2c02 said...

Top quality of ecco shoes are developed for discerning customers.Enjoy a great selection of newest ecco shoes on sale,free

shipping,110% price guarantee.Top quality of ecco shoes is your best chooice

for daily life and working,sport,and so on.And hot sale now UGG Boots

.fashion on the outside,warm on the inside.

Penis Enlargement Pills said...

The article is worth while reading, I like it very much and which you shared the info in this post is very useful. Thanks for sharing a wonderful post.

Web Application Development said...

I am impressed by the quality of information on this website. There are a lot of good resources here. I am sure I will visit this place again soon.

Simple Luxury said...

Burberry Outlet Store Online
Handbags Outlet Store Online

sports handicapping software said...

Thank you for sharing to us.there are many person searching about that now they will find enough resources by your post.I would like to join your blog anyway so please continue sharing with us

baixar mobogenie said...

This info is much more valuable than assuming revenue expertise according to previous market come across .
mobogenie | mobogenie baixar | baixar mobogenie

jogos friv said...

feeling great when reading your post .
i like play game jogos click online free and play game juegos de pou