Browser vulnerability: passwords stored in plain text
Chrome, Edge and Firefox
A vulnerability in Google Chrome allows passwords to be read in plain text. Edge and Firefox are also said to be affected. However, Google does not want to patch it.
News
Several popular Chromium-based browsers are affected by a vulnerability that allows passwords to be read in plain text. The vulnerability was discovered by accident by security researcher Zeev Ben Porat Cyberark. According to him, these are “quite concerning” – “quite worrying”.
When using the browser, passwords and other data such as URLs, active cookies and user names are therefore stored unencrypted in the Chrome memory. However, attackers can also actively load all passwords stored in the browser’s password manager into memory.
The data stored in memory can then be extracted by attackers. By comparing the memory before and after the user logs into a service, the password used can be found out in a targeted manner. Since session cookies are also stored in the memory, two-factor authentication could even be bypassed.
A similar gap was already in 2015 by Satyam Singh of info sec discovered and disclosed.
Cyberark already suspected in the original article that other Chromium browsers such as Edge are also affected by the vulnerability. Of the IT blogger Günter Born was able to confirm this in several tests. But the problem also seems to exist with Mozilla’s Firefox.
Zeev Ben Porat reported the vulnerability to Google on July 29, 2021. However, the company informed him that it would not fix the vulnerability and referred to its own Security FAQ. The problem can only be exploited if the attackers have physical access to the device. This is outside of Chrome’s threat model. The browser must rely on the fact that the local user can be trusted.
According to Born, this statement is correct in theory, but falls short in this case: “Passwords should not be found in clear text in the browser memory.”
Continue to home page
Reference-www.pc-magazin.de