Closed Fomovet closed 1 month ago
Please check if the password versions stored in your chrome browsers are older than v10. Anything older than v10 passwords will not be decrypted. BrowserSnatch works on latest v10,v11 version encrypted passwords only. Same goes for the cookies !
You can check the version of you encrypted data in sqlite db browser for passwords or cookies file. Every encrypted data has prepended version meta info as shown in the screenshot below:
Please check if the password versions stored in your chrome browsers are older than v10. Anything older than v10 passwords will not be decrypted. BrowserSnatch works on latest v10,v11 version encrypted passwords only. Same goes for the cookies !
You can check the version of you encrypted data in sqlite db browser for passwords or cookies file. Every encrypted data has prepended version meta info as shown in the screenshot below:
The latest version of Chrome cookie encryption is v20
Google has recently updated its security policy on saving encrypted cookies. Unlike before, they encryption keys are not only secured by DPAPI (which could be easily accessed by malware running with the same user mode privileges) but now chrome has introduced something called Application-Bound Encryption Primitives which basically improves on DPAPI by running a SYSTEM Level Chrome Service which first authenticates if the application requesting the key is Chrome itself and then uses SYSTEM level privileges to decrypt keys with DPAPI and return to the requesting process (which would be chrome).
Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app. Now, the malware has to gain system privileges, or inject code into Chrome. This complicates the process of stealing chrome cookies. For now, chrome passwords saving policy has not been shifted to this mechanism but eventually it will. So I need to do some R&D on how to include this bypass in upcoming versions of BrowserSnatch.
For your reference: https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html
Will be handled in upcoming versions
@Fomovet, Chrome 1.27 and greater version cookie decryption is now available in latest release. There is a separate command line parameter for snatching latest app bound encrypted chrome cookies.
use: ./BrowserSnatch.exe -cookies -chrome_app_bound
OS Version: Windows 11 OS Architecture: 64-bit Browser Name: Chrome Browser Version: 129.0.6668.59
Log Output