VULNERABILITY DETAILS
User's secrete stored by chrome browser in "Login Data" does not seem to be secure.

VERSION
Chrome Version: 67.0.3396.99 (Official Build) (64-bit)
Operating System: Windows 10 Enterprise 64bit

REPRODUCTION CASE
The user's password to access different services like twitter , facebook etc which is stored by chrome seem to be no more secure. "Login Data" file(sqlite db) stored under \AppData\Local\Google\Chrome\User Data\Default does not seem to be secured one.

1) Try opening the "Login Data" file from its existing location using any SQLite browser.It won't open, and  SQLite browser will prompt for password. Providing user's windows login also it will not open.

2) Copy "Login Data" file to some other location in same computer and try to open using sqlite browser application.The file gets opened and will be able to see complete schema and all user data except the password. Screen shot attached.

3) I tried reading the above data using sqlite API. Compiled a program using sqlite .c and .h and executed following sql query successfully. 

SELECT signon_realm,username_value,password_value,date_created FROM logins 

Could read all the columns specified in sql statement successfully . And tried decrypting the field "password_value" using  CryptUnprotectData() API. I could see the password in clear text. However if the program runs on same computer where "Login Data" is being created then decryption of password using Windows API CryptUnprotectData() is successful.

However it seems to be a security issue as far as user's secret is concerned.

Thanks

ghanashyam.satpathy@gmail.com





 

Deleted: Google_Login_Data.png 90.7 KB

	Google_Login_Data.png 90.7 KB View Download