Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
Risky Chrome (The perfect cleartext password offering )
Sep 05 2008 05:59AM
quakerdoomer fmguy com
Google Chrome : The perfect password offering ( Tested on pair.com Webmail, might work on
others as well with Google Chrome 0.2.149.27)
Chrome stores saves passwords in CLEAR TEXT.
1 ] Goto webmail.pair.com
Pair Webmail provides https and doesn't have any option on its page to save password.
2 ] Enter your username. Enter a false (incorrect) password
3 ] Allow Chrome to save password ( It will prompt below the address bar)
4 ] Now try again and this time Login user your real credentials
5 ] Open a few emails, if possible in a new tab
6 ] Sign out and close Chrome
7 ] Locate
X:\Documents and Settings\<user name>\Local Settings\Application Data\Google\Chrome\User
Data\Default\Current Session ( Path might be different in Vista )
and change directory using the command prompt to the above path
8 ] Note that the "Current Session" file needs to be present in your "\Application
Data\Google\Chrome\User Data\Default\" directory
9 ] Fire this command in cmd : find "&secret" "Current Session" (You can use grep as well)
10 ] If you have reached till this stage you can see that its stored in clear text.
11 ] Screenshot attached : Chrome_Password_Current_Sessions_ClearText.png
Uh! Cannot attach !!
Contact for a demo video if you can't manage to pull this.
-- QUAKERDOOMER
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
others as well with Google Chrome 0.2.149.27)
Chrome stores saves passwords in CLEAR TEXT.
1 ] Goto webmail.pair.com
Pair Webmail provides https and doesn't have any option on its page to save password.
2 ] Enter your username. Enter a false (incorrect) password
3 ] Allow Chrome to save password ( It will prompt below the address bar)
4 ] Now try again and this time Login user your real credentials
5 ] Open a few emails, if possible in a new tab
6 ] Sign out and close Chrome
7 ] Locate
X:\Documents and Settings\<user name>\Local Settings\Application Data\Google\Chrome\User
Data\Default\Current Session ( Path might be different in Vista )
and change directory using the command prompt to the above path
8 ] Note that the "Current Session" file needs to be present in your "\Application
Data\Google\Chrome\User Data\Default\" directory
9 ] Fire this command in cmd : find "&secret" "Current Session" (You can use grep as well)
10 ] If you have reached till this stage you can see that its stored in clear text.
11 ] Screenshot attached : Chrome_Password_Current_Sessions_ClearText.png
Uh! Cannot attach !!
Contact for a demo video if you can't manage to pull this.
-- QUAKERDOOMER
[ reply ]