In my eyes there is a design flaw here but I guess this is something we all should be aware of and most of all think twice about how we are protecting our data. So let’s start with how this came about. This all began when I noticed that a file in Google Chrome browser could be transferred from one machine to the next and leave you logged in with whatever site they were using at the time for example; you’re sat in the living room with your girlfriend and of course you know the admin password to her laptop, you’ve fixed it a few times for her before. You go in remotely at ‘c$’, see the file you need, copy and paste then boom you’re on her Facebook account logged as her chatting to her friends impersonating her. The process is known as cookie stealing or session hijacking.


My concern here is that it shouldn’t be this simple but it is. Session Hijacking usually involves stealing the cookies on the fly through what we call a MItM (Man in the Middle) attack and can be done easily on systems that don’t have preventive measures in place like an IDS or IPS system or other kind of preventive methods but then again just today I’ve reading about the HTTP Request Smuggling techniques which is new eye opener for me.

I posted on this previously but have decided to rewrite the post here. Why? Well, because my first thoughts were that we needed to copy the entire directory of the victims Google Chrome Browser to our machine to get the hack to work. It was later analysis revealing that the process was much simpler, we actually only need one file and that file is named ‘Cookies’.

Local Chrome Browser user data is stored:
Windows XP – ‘C:\Documents and Settings\UserName\Local Settings\Application Data\Google\Chrome\User Data\Default‘
Windows 7 – ‘C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default‘.

In those folders you will find the cookie file you’re looking for. There is a catch though, the victim that you are taking the file from must use the keep me logged in check box selected before they log into a site. Almost all sites offer this feature but it’s down to the user that is using them, some popular sites like Hotmail, Gmail, WordPress etc the list goes on.

Now Google have been contacted in regards to this but in all honesty they don’t actually care because it requires Administrative rights, please see the following response from Google:

From: Google Security Team <security@google.com>
Date: Mon, 28 Jun 2010 17:03:46 -0000
Subject: Re: [#662231084] Stealing User Credentials from Google Chrome Browser
To: user@gmail.com

Hey

Since this attack requires that you have already compromised the victim,
this is not a security issue with Chrome.

For nearly all web applications, the cookie is the only "secret" that is
used by the server to associate the web browser with a specific user.
Since you copy across the directory that contains the cookies, it's
completely expected that you would be able to view that user's session.

If you could find a way to obtain that information *without* already
having access to the victim, then that would be a vulnerability.

Cheers,
Adam, Google Security Team

The thing is, it isn’t so easy to do this with other web browsers in this way, IE8 or Firefox 3.6. What concerns me even more was Google’s release of the Microsoft Help and Support Centre Vulnerabilities. With such an attack then surely Google themselves have made this process easier to do, in fact they’ve practically turned it into a remote attack themselves!

Who do you put your trust in these days? It’s hard to know where Google’s security limitations are and what they willing to accept as their responsibility. For me this has made me rethink of Google Web Browser and other services as to how secure they actually are.