1

Im currently looking into the security of different browser password storing mechanisms. My main focus lies on the new Chromium based Microsoft Edge browser.

As far as I can see, Chromium based browsers use the system's credential manager / keychain to store passwords. On Windows that is the Credential Manager, seemingly sometimes call Microsoft Vault. To display or export passwords stored with Edge or other Chromium based browsers the user has to enter his password. Nevertheless if Firefox gets installed and triggers the import of passwords from the Edge browser no password is required. Further Firefox is not asking for the users account password in order to display passwords stored (prev. imported) in Firefox.

If host security measures, like Windows Defender and ATP are installed, dumping the passwords with tools like Mimikatz, Lazagne and CredMan (Powershell) seems impossible unless you find a way to circumvent the quite advanced protective measures.

Because the tools get blocked far before they want to access the Credential Store - but Firefox can import them with ease - I ask myself how it is doing that and how I could possibly reproduce that behaviour.

In general if Edge is storing the passwords in the Credential Manager and accessing it requires the user's password, how is another browser capable to import them without the user's password?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Senkaku
  • 113
  • 5
  • 1
    It depends upon what operating system are you using. On Windows (like it seems you're currently talking about) for example, decrypting chrome passwords does not need any admin credentials... take a look at this: https://stackoverflow.com/questions/61099492/chrome-80-password-file-decryption-in-python. The same password stored by chrome can be used to decrypt cookies and so the browsers can import account without re-login in some scenarios. The other browsers like firefox itself and safari do not even encrypt that information(or at least for the cookies).So, upload existing data is not difficul – Virgula Nov 03 '20 at 17:45
  • about cookies: https://stackoverflow.com/questions/60416350/chrome-80-how-to-decode-cookies. Since you're talking about edge I think that this browser uses the same method as chrome to store sensible data: saving the password in a file and using it do encrypt/decrypt data. – Virgula Nov 03 '20 at 17:46
  • 1
    When you install Firefox you give the installer admin privileges. Maybe it can leave behind some things that let it do other things later. – User42 Nov 05 '20 at 20:36

0 Answers0