[German]Security researchers from CyberArk Labs have stumbled upon in Google's Chrome browser. It stores passwords and cookies in plain text in the RAM of its own process. This means a corresponding tool could read these plaintext passwords. I tested it on Google Chrome and on the Ungoogled Chromium clone – the problem should affect all Chromium browsers (so Edge too).
I came across the following tweet on Twitter this week from CyberArk Labs security researchers, who disclose the issue and describe it in more detail in the blog post Extracting Clear-Text Credentials Directly From Chromium's Memory.
It's a discovery by chance, what Zeev Ben Porat made. He had created a mini-dump of all active Chrome.exe processes as part of a project. Spontaneously, he decided to check if a password he had recently entered into the browser appeared in one of these dumps. To his surprise, he found that the password was stored in plain text in several different places in the memory of two of those processes.
He then started looking a little deeper and found that Satyam Singh had already addressed security issues in browsers in his 2015 blog post Browser-based vulnerabilities in web applications. This included the issue of "passwords being stored in the memory of running processes."
A nightmare for users
After these findings, the security researcher started to take a closer look at what the Google Chrome browser was up to and could hardly believe his eyes what he found out:
- Login credentials (URL/username/password) are stored in Chrome's memory in plain text format.
- In addition to the data entered dynamically when logging into certain web applications, an attacker can trick the browser into loading all passwords stored in the password manager into memory ("login data" file).
- Cookie data (value and properties of cookies) is stored in Chrome's memory in plain text (if the application in question is active). This includes sensitive session cookies.
This information can be effectively extracted from a standard process (without elevated state) running on the local computer that has direct access to Chrome's memory (using the OpenProcess and ReadProcessMemory APIs). The extracted data can be used to hijack user accounts. This is true even if they are protected by an MFA mechanism – because then "session cookies" could be read and used.
The security researcher successfully tested examples of session hijacking for Gmail, OneDrive and GitHub. He found similar vulnerabilities in Microsoft's Edge browser and suspects it is no different for other Chromium clones. The details of his investigation can be read in the blog post Extracting Clear-Text Credentials Directly From Chromium's Memory.
My own test
I took this as an opportunity to briefly run my own test on Saturday using Google Chrome, the Ungoogled browser (Chromium clone), and the Firefox browser. For this I downloaded the tool Process Hacker for Windows from GitHub and used it to evaluate the memory contents.
It is enough to right-click the main process and then click Properties in the context menu. In the Properties window go to the Memory tab and select the Strings button. In the dialog box that appears, specify a string length (the default is 10). The results window lists all the strings that the process hacker has found in the memory for the respective process.
Afterwards a menu with commands for the search can be opened in the result window by means of the Filter button. I decided to use Contains or the case-insensitive variant for the search term. Here are the results of a short test:
- Google Chrome: Passwords show up in plain text.
- Ungoogled browser: Passwords show up in plain text.
- I didn't find any passwords in the search
The bitter conclusion: if you have a compromised system and use Google Chrome or another Chromium browser, you have no protection against password theft. Only Firefox could – if I have not made a mistake – be in a slightly better position. I tested the whole thing under Windows 7, but it should be the same in other Windows versions. How it looks under macOS or Linux, and what happens on mobile platforms such as Android or iOS so with Chrome, I have no longer tested.
No official fix …
Zeev Ben Porat reported the whole thing to the Chrome team on July 29, 2021 and immediately got the above feedback from a project member that the whole thing would not be fixed. The reasoning as to why the team doesn't see it as a problem can be read here. In general, the statements are true, but for the above case, the development team jumps too short in my eyes – passwords should not be found in plain text in the browser memory.
Zeev Ben Porat writes in his blog post that after he reported the issue to the Chromium development team, however, he observed some changes that may be "mitigation attempts". About a month after he reported the findings to the developers, his test program failed to extract cookie data. It turned out that the general memory layout had been changed (in both Chrome and Edge). But with a modification, he was able to continue extracting cookies until the program failed again (for Chrome and Edge) after two months. But the plaintext passwords can still be extracted from memory, according to my observations.
Cookies helps to fund this blog: Cookie settings