Stealing Passwords from Browser
A few days ago, i was analyzing a new malware called RedLineStealer. The malware has the capability to steal browser
cookies and collect information about the target system.This information is then sent to a c2c server.
But in this article i don't want to describe the malware itself. The modus operandi of RedLineStealer made me think
about a topic that is often misunderstood: Storing login credentials in browsers. Is it secure? Shall
I store it or not? Here is a short writeup.
How does password storing work?
Most modern browsers allows you to store login credentials in a built-in password manager. This function is enabled
by default:
Edge
Firefox
When a login website is visited, the browser provides a prompt to save the login credentials.
Username and password are then encrypted with a key and stored in a local SQLite database.
Known locations under Windows are:
Firefox
%APPDATA%\Mozilla\Firefox\Profiles\
Edge
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault
C:\ProgramData\Microsoft\Vault
C:\Users\e8889\AppData\Local\Microsoft\Vault
Chrome
C:\Users\e8889\AppData\Local\Google\Chrome\User Data\Default\
Decrypting the password
If we want to read the passwords in plaintext, we need the encryption key. Fortunately this key can be found on the
local disk in the same folders. With the help of freely available tools we can decrypt all stored passwords within
seconds. No matter how complex they are.
The screenshot below shows successfully decrypted passwords and username.
Conclusion
Personally, I don't recommend to store passwords in the browser. It is certainly more secure than writing the password
on a piece of paper and stick it on the screen. Or having plaintext passwords in a textfile.