An idea about Google Chrome Login Data securitty
228 views
Skip to first unread message
Maksimka Mazurin
Jun 22, 2013, 9:14:10 PM6/22/13
to chromium...@chromium.org
Well, I have a question about "login data" file security... One day I've seen that :
1) Google Chrome and Chromium have a beautiful security system and encrypting passwords over CryptoAPI + SQLite database.
2) Login data file is useless to steal, but I have made a program, that decrypt all passwords on the target computer and send it to me.
So, I've begin thinking - Login Data file is vulnerable to simply function, as CreateFile()... it may be worth to protect this file low-level, over driver, which try to intercept opening file on ring-0.
Well, what are you thinking about this?I'm sorry Very-very-very much for my the worst English :)
Thank you for your attention,
Mazurin Maksim, Russia.
Omnray
Jun 23, 2013, 3:26:02 AM6/23/13
to chromium...@chromium.org
2) Login data file is useless to steal, but I have made a program, that decrypt all passwords on the target computer and send it to me.
Can you share more detailed?
The most interesting - does this program be able to execute self on Windows 7 without UAC warning and successfully do the work?
PS And we for surely not need any drivers in Chrome...
Maksimka Mazurin
Jun 23, 2013, 4:38:28 AM6/23/13
to chromium...@chromium.org
Yes, I understood, I'll try on other computers.
But really UAC is disallow opening file to read? because Login Data file is not protected anything.
Thanks.
Omnray
Jun 23, 2013, 4:56:20 AM6/23/13
to chromium...@chromium.org
I am not the specialist, but as i understand -- if user will not confirm the UAC dialog, the program will not be able to continue processing.
The UAC must arise at a point when the process will try to access anything in the other programs data folders, or in system folders, or in others registry keys....
And it cannot be (in theory) bypassed programmatically.
Actually if they will be, there exist really simple way to extract all passwords without any knowledge of SQL data files or CryptWinApi - just any macro-recorder will do the work - need just record the script which will click through to the "Chrome Settings \ Manage saved passwords" and done some screenshots.
Or this can be done manualy remotely, if you manage to install some Chrome extension, like:
It is by the way not raise the UAC during installation or operation.
Maksimka Mazurin
Jun 25, 2013, 1:48:48 PM6/25/13
to chromium...@chromium.org
Well , I checked, on other computer (win7) uac didn't alert about my program
Ahmed Abed
Aug 28, 2013, 4:56:41 AM8/28/13
to chromium...@chromium.org, zma...@yandex.ru
Hi,
I need to write an application that list all my chrome password.
but i can't decrypt these password .. can you till me how i can do this ?
thanks
Reply all
Reply to author
Forward
0 new messages