Passwords and sensitive data are stored in clear text in your browser’s memory
According to CyberArk security expert Zeev Ben Porat, your web browser may keep sensitive data in clear text in memory, including usernames, passwords, and session cookies.
Most Chromium-based web browsers, including Google Chrome, appear to be impacted. Microsoft Edge was also tested for the flaw and found to be vulnerable. A short test on a nearby Windows 11 PC revealed that the problem also affects browsers like Brave and Mozilla’s Firefox web browser.
Remote access or access to software running on the target system is sufficient to extract the data, therefore physical access to the target machine is not necessary. Any non-elevated process that runs on the same computer can be extracted.
While the user must enter credential data such as usernames and passwords before they can be recovered, Zeev Ben Porat points out that “all the passwords that are kept in the password manager may be loaded into memory.”
If session cookie data is also available in memory, two-factor authentication security may not be adequate to secure user accounts; extraction of the data may lead to session hijacking attempts employing the data.
Several distinct forms of clear-text credential data may be recovered from the browser’s memory, according to the security researcher.
- When logging into a specific web application, you’ll utilize your username and password.
- During browser launch, the URL, Username, and Password are automatically put into memory.
- Login Data stores all URL + username + password data.
- All cookies associated with a single web application (including session cookies)
- Try out other browsers.
The problem was reported to Google, and it was swiftly marked as “won’t fix.” Chromium will not solve any concerns linked to physical local access attacks, according to the explanation offered.
On the CyberArk blog, Zeev Ben Porat released a follow-up essay that discusses mitigation solutions and several sorts of attacks that may be used to exploit the vulnerability.
What are the best ways to test your browsers?
Process Hacker, a free program for Windows users, may be used to test their browsers. To get started, just download the portable version of the application, unpack the package, and execute the Process Hacker executable.
In the browser, you wish to test, type a login, password, or other sensitive information.
- To get information, double-click the primary browser process in the process list.
- Toggle over to the Memory tab.
- On the page, click the Strings button.
- On the page, click OK.
- In the new window, click the Filter button and choose “contains” from the context menu.
- In the “Enter the filter pattern” section, type the password or any sensitive information, then click OK.
- If the data is located in process memory, Process Hacker returns it.