Even if an attacker has admin rights or offline access and can get to the locally stored data, the system is designed to prevent the attacker from getting the plaintext passwords of a user who isn't logged in. The profile’s encryption key is protected using Chromium's OSCrypt and uses the following platform-specific OS storage locations: The way to decrypt another user's passwords is if that user were logged on and the attacker had the user’s password or has compromised the domain controller. On Linux, the storage area is Gnome Keyring or KWalletĪll these storage areas encrypt the AES key using a key accessible to some or all processes running as the user. This attack vector is often featured in blogs as a possible 'exploit' or 'vulnerability', which is an incorrect understanding of the browser threat model and security posture.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |