Google Chrome: Worrying vulnerability discovered
Security researchers have uncovered a vulnerability in web browsers, but Google still believes there isn't much that can be done about it.
A year ago, security researchers from the ethical hacker group CyberArks Labs discovered a vulnerability in the Chrome browser that practically presented passwords on a silver platter to potential attackers. Because the worldwide Internet portal stores cookies in plain text with your data in the main memory, which can be read with the help of various tools, as well as the passwords entered.
However, it cannot be said that only Chrome is affected by the vulnerability, as German security expert and Windows Günther Born reported on the website Borns IT and Windows Blog. Accordingly, passwords could be read from all Chromium-based web browsers and Mozilla Firefox or related places in main memory.
CyberArks Labs notified Google of this vulnerability more than a year ago. However, the information has only now been released, possibly to avoid playing more cards into the hands of potential attackers.
Google makes it easy
You can find Google’s answer in the Chromium Security FAQ. In a nutshell, it states that once you gain access to a system, you have no way of defending yourself against malicious users. According to Google, such an attacker can manipulate executables and DLLs, as well as environment variables and configuration files at will. Therefore, there is little that can be done against such attacks, both on behalf of Google and the user.
The company still has a few clues: You can at least reduce the amount of information an attacker can capture. To do this, you must disable autocomplete and saving passwords in the Chrome settings. However, how useful this is in terms of this particular vulnerability is debatable.
It seems that Google does not consider itself responsible. However, both CyberArks Labs and Günther Born have different opinions. While Google is fundamentally right in its argument, storing passwords in plain text in main memory is irresponsible.
But Google seems to have made minor adjustments: About a month after the internet giant was notified of the vulnerability, CyberArks Labs was no longer able to extract the cookie data. At least not immediately and only after changing the software used for it. But after two months this also stopped working. However, Günther Born confirms that it is still possible to read passwords from main memory in plain text.
How big is the danger in the end?
This is difficult to predict. Google could be right that a potential attacker would still need to access the system to extract cookie data and passwords from memory. If you want, it’s already too late. On the other hand, in our opinion, no stone should be left unturned to make life as difficult as possible for the aggressors.
Otherwise, for example, it would be as if you didn’t need to close a safe in the first place, because as soon as someone walked through the front door, they could still break it.
How do you see this? Should Google take action and patch this vulnerability completely? Or maybe the company is right and it just doesn’t make any sense? Write us in the comments!