According to Zeev Ben Porat, security researcher at CyberArk, your web browser can store sensitive data, including usernames, passwords, and clear-text session cookies.
Most Chromium-based web browsers seem to be affected, including Google Chrome. Microsoft Edge has been tested for weakness and it has been affected by it as well. A quick test on a local Windows 11 system confirmed that browsers such as Brave and Mozilla’s Firefox web browser are also affected by the issue.
Physical access to the target machine is not required, as remote access or access to software running on the target machine is sufficient to extract the data. Mining can be done from any non-elevated process running on the same machine.
If it is necessary for the user to enter credentials such as usernames and passwords before they can be retrieved, Zeev Ben Porat notes that it is possible to “load into memory all passwords that are stored in the password manager”.
The security of two-factor authentication may not be sufficient to protect user accounts either, if session cookie data is also present in memory; mining the data can lead to session hijacking attacks using the data.
The security researcher describes several different types of plain-text credentials that can be retrieved from browser memory.
- Username + password used when logging into a targeted web application
- URL + Username + Password automatically loaded into memory when starting the browser
- All records of URL + username + password stored in login data
- All cookies belonging to a specific web application (including session cookies) Testing your browsers
The issue was reported to Google and it was promptly given a “will not be fixed” status. The reason given is that Chromium will not solve any problems related to local physical access attacks.
Zeev Ben Porat published a follow-up post on the CyberArk blog, which outlines mitigation options and different types of attacks to exploit the issue.
How to test your browsers
Windows users can use the free Process Hacker tool to test their browsers. Just download the portable version of the program, extract its archive and run the Process Hacker executable to get started.
Enter a username, password or other sensitive data in the browser you want to test.
- Double-click the main browser process in the process list to view details.
- Switch to the Memory tab.
- Activate the Channels button on the page.
- Select OK on the page.
- Activate the Filter button in the window that opens and select “contains” from the context menu.
- Type the password or other sensitive information in the “Enter filter pattern” field and select ok.
- Process Hacker returns data if it is in process memory.
Now you: is your browser affected by this? What is your opinion on the matter? (via Born)