Google

Google Chrome & Edge save passwords Vulnerability detected

A CyberArk Labs security researcher draws attention to a security vulnerability that resides in Google Chromium and thus affects Chrome and Edge web browsers: saved passwords are easy to read. Chrome simply stores user passwords in plain text in memory.

So the unencrypted passwords can be easily read if you know where to find them – which is far too easy. But that’s not the real scandal. According to the findings of Zeev Ben Porat of CyberArk Labs This procedure for storing unencrypted sensitive data was discovered and documented in 2015 by security researcher Satyam Singh.

At the time, he had already noticed that passwords were more easily stored in plain text in the main memory of running processes. These vulnerabilities should therefore have been known for some time.

To date, however, little or nothing has been done to address this vulnerability. Looks like Google won’t change anything either. The developers classified the problem as irrelevant, which does not need to be solved. Security researcher Zeev Ben Porat found several questionable handling of sensitive data:

Analysis

  • Credentials (URL/username/password) are stored in Chrome’s memory in plain text. In addition to data entered dynamically when logging in to certain web applications, an attacker could trick the browser into loading into memory all passwords stored in the password manager (“login data” file).
  • The data of cookies (value and properties of cookies) is stored in plain text in Chrome memory (when the respective application is active). This includes sensitive session cookies.
  • This information can be effectively extracted by a standard (non-elevated) process that runs on the local machine and accesses Chrome’s memory directly (using the OpenProcess and ReadProcessMemory APIs).

Researchers even tried how other popular browsers handle passwords. It turned out that in addition to Edge and Chrome, Vivaldi and Firefox also store passwords in plain text.