4

I just installed Firefox browser, while I have previously used Google Chrome as my main browser. I am using Windows 10.

During the installation and setup process for Firefox, I was given the option to migrate over my data from Chrome, including usernames and passwords. This process completed quickly, and I was then able to log in to various websites using my saved passwords that I previously had in Chrome. This whole process was quite convenient, but it got me thinking:

How did Firefox get my passwords?

I never had to type in any of my passwords into Firefox, and I never had to do anything in Chrome to "release" this information to Firefox. The only requirement given by Firefox was that Chrome should be closed during the process. I also didn't need to grant the installer program any elevated privileges, besides just allowing it to run.

So what mechanism is Firefox using to retrieve these passwords from Chrome? This other answer claims that Windows has no mechanism to protect the passwords, but I still wonder what the actual mechanism is, and why the browser design is unable (or unwilling for some other reason) to protect access to the passwords through any other means outside of OS privileges. (The only explanation I've come up with is that it is inconvenient for the user to enter their "master password" every time they start the browser).

My previous understanding was this:

If I try to view my passwords in chrome on passwords.google.com, I have to re-enter the password to log in to my main Google account where they (presumably) are stored. Of course, to actually use these passwords to log in to a site on Chrome, I don't have to enter my main password most of the time. I assume this is because the browser has session token that it uses to authenticate the retrieval of these passwords in most cases.

Could it be that Firefox "stole" this token to access my passwords? Or that the passwords are actually stored locally in some form that can be decrypted without needing the user's input?

And finally, does this mean that it is trivial for any program to steal my passwords in this manner?

  • 4
    Does this answer your question? [How do browsers import password data from other browsers?](https://security.stackexchange.com/questions/230900/how-do-browsers-import-password-data-from-other-browsers) – Joseph Sible-Reinstate Monica Apr 23 '21 at 00:20
  • @JosephSible-ReinstateMonica though the question is similar, the accepted answer doesn't satisfy the "how" part of my question. I have updated to clarify. – Hymns For Disco Apr 23 '21 at 00:35
  • Did you have a **Master Password** set for your Chrome Browser? – user10216038 Apr 23 '21 at 03:53
  • @user10216038 Not exactly. I don't know of any such feature built in to Google Chrome, however what I do use is a "master account", which is my Google account logged in as the browser profile, and which has all my passwords saved and accessible at https://passwords.google.com . Any time Chrome offers to "save a password", it is saved to this account and accessible from other devices. – Hymns For Disco Apr 23 '21 at 04:12
  • 3
    The answer in the linked question is implicitly assuming that you understand that browsers don't just store your passwords in an online service, but also in a local file on your computer. This file is typically unencrypted. So a different program can easily extract your Chrome passwords from that file. Whether this is a problem depends on your threat model. – amon Apr 23 '21 at 07:48

1 Answers1

10

(I had to make some quick research for this intriguing question).

The saved passwords can be decrypted by Firefox (or any other software) as long as it is running within your windows account on the same machine where the passwords were encrypted.

Chrome encrypt stored password using CryptUnProtectData, the algorithm relies on the user logon credentials and some information specifics to the machine to decrypt the passwords.

You can check here a Python implementation that uses the same encryption function to read the saved passwords on Chrome.

elsadek
  • 1,782
  • 2
  • 17
  • 53
  • 5
    You learned something, OP learned something, I learned something. The world is a better place now. – ThoriumBR Apr 23 '21 at 10:54
  • 1
    In fact, Chrome uses [DPAPI in the LocalMachine scope](https://security.stackexchange.com/q/230137/235964), which means any account on the same machine can be used to decrypt the passwords. So if you are sharing a computer with someone else, they can boot into a separate OS, copy your chrome password file (assuming no FDE), and then reboot and log into their own account and decrypt your passwords. – nobody Apr 23 '21 at 12:12