Back to Blog

Extracting Passwords from Google Chrome: A Weakness Explored

By Talon Research | July 7, 2023

Whether for personal use or work purposes, users often rely on web browsers to store their passwords. However, a recent YouTube video by cybersecurity researcher and educator, John Hammond, sheds light on a weakness within Google Chrome’s password manager that puts many passwords at risk. In this blog post, we’ll delve into the highlights of the video, the consequences of these findings, and explore a solution that can protect users from this password-stealing method.

Video Overview

John Hammond’s YouTube video titled “How to Extract Plaintext Google Chrome Passwords” dives into the process of retrieving plaintext passwords saved in web browsers, specifically focusing on Google Chrome. The video gained significant attention, over 130k viewers at the time of this post. Let’s look into some key points from the video.

Saving Passwords in Google Chrome

To begin illustrating the weakness, Hammond creates a test account on ctf.nahamcon.com, a website for cybersecurity exercises, and saves the password within Google Chrome’s password manager. This simple act demonstrates how users trust their browsers to securely store their sensitive information.

Let’s take a quick step back and answer a pressing question. Why would anyone trust Google Chrome with private information? It’s simple, convenience. Most users (though if you’re reading this post and interested in enterprise browsers, maybe not you) view password management as a hassle. We’re all familiar with the classic password written on a sticky note stuck to the monitor. When you approach Google Chrome’s password manager in this way, it starts to make more sense. It’s built, principally, for convenience, to reduce user friction. Security is secondary.

In a way, Google Chrome’s password manager is much like the classic password on a sticky note, and maliciously accessing an account follows just about the same process – only with slightly more steps. Slightly.  

Accessing the Encryption Key

Hammond then proceeds to show viewers how to access the encryption key used to protect the stored passwords. By navigating to the “local state” file in Google Chrome’s user data folder, the encryption key can easily be found, buried unceremoniously in a .json file. This key is crucial for decrypting the passwords stored by the browser, and it’s stored right alongside the actual encrypted passwords.

The “login data” File

Now we’re getting to the juicy stuff. The encrypted passwords are stored in a binary file aptly named “login data.” This file resides in the default directory of Google Chrome and houses the passwords alongside other relevant data. Of course, this file is encrypted with the Advanced Encryption Standard, but what do we have that can help with that? The encryption key from earlier – and let’s not forget, that encryption key was practically right next door to the encrypted passwords. With access to this encrypted database file and the encryption key, an adversary can easily decrypt and obtain users’ passwords, just about as easily as reading them from a sticky note.

The Ripple Effect of Security Breaches

The implications of this vulnerability run deeper than some might initially consider. It’s not merely about the threat of cybercriminals exploiting this gap and gaining access to sensitive information. Of course, it does introduce a substantial security risk since malicious actors could potentially exploit this vulnerability to gain unauthorized access to a victim’s personal or enterprise accounts. But, more so, the ease with which passwords can be stolen using this method is particularly startling. Not to mention the subsequent erosion of trust in the reliability of consumer grade browser-based password management.

Protecting User Passwords with Talon Browser

While the weakness demonstrated in the video highlights a concerning issue with Google Chrome’s password manager, there are alternative solutions that prioritize user security. The Talon Enterprise Browser, for instance, addresses this weakness by implementing a unique approach to password storage.

Unlike Google Chrome, Talon’s Enterprise Browser saves the encryption key far away from the passwords. Extending our “next door” analogy a bit, if Chrome stores the encryption key next door to the passwords, Talon stores it on another planet. This means that even if an attacker gains access to the local state folder, they won’t be able to decrypt the passwords without the encryption key. By keeping the key far away from the passwords, Talon’s browser adds an additional layer of security to safeguard user information.

In an earlier blog post, we delved into the inherent risks associated with saved browser data. We demonstrated how Talon, in contrast to other browsers, only serves cookies in plain text when it’s absolutely necessary. This preventative measure substantially hampers malicious actors from dumping memory to read cookies and nearly eliminates their ability to search for plaintext cookies. Bundling this robust defense with Talon’s exceptional password protection, the browser virtually neutralizes the threat of account takeovers.

Conclusion

As technology continues to advance, it is crucial for users to remain vigilant about the security of their personal information. John Hammond’s YouTube video serves as a reminder that even seemingly secure features like Google Chrome’s password manager can have vulnerabilities. By exploring alternative solutions like the Talon Browser, organizations can protect users from potential password-stealing methods and prioritize their productivity and online safety. Securing our digital lives is a shared responsibility, and staying informed is the first step towards a safer online experience. To learn more about what Enterprise Browser security is, check out our latest blog post.

Or hungry for another video? Watch a demo of the Talon Enterprise Browser’s security capabilities.

---

---