I've been doing a bit of quick research into where internet passwords are stored and I thought I'd share my findings.
To set up a senario, I opened up Internet Explorer 8 on a test machine running Windows XP and logged into my Gmail account. Leaving the browser window open, I then extracted the contents of memory using win32dd.
Running the command strings dump.bin > output.txt in the command line, and the resulting text file searched for the string containing my email address I was supprised to find my password in plain text in a string like this
Email=suspect-A@gmail.com&Passwd=password123&rmShown=1&signIn
The email address and password have been changed for obvious reasons, but it looks to me like this is the submitted part of the form you use to log in.
Has anyone done this sort of research before? Is this the case with some or every browser? Would be interested to know if you could find the password without searching for the email address (maybe do a general grep search for the email format) roll
Yes! Wow - was just looking at this with Harry Parsonage just yesterday. I found that with Google/Gmail it stored the password "Passwd" in a session restore file. The form information seems to be stored in with the URL with the password in plain text.
Interestingly Google just made two factor authentication using one time PIN through SMS available.
Starting Thursday all Google users can choose to turn on a so-called “two-factor authentication” feature, which will require them to type in a special, short-lived second password in addition to their normal password to get into their account. Users will be able to get the codes via SMS or a phone call, or use smart phone apps for Android, iPhone and Blackberry to generate the codes.
http//
Yes, I have found the same results that some email applications passwords are very much exposed in RAM.
Regards,
Chris Currier
Interesting what happened with HBGary
http//
"got access via a stolen password"
One of the interesting/challenging issues of cloud services is that so much is managed through a web interface. Added that the cloud services basically become your domain controller so once you pwn that….And how to monitor?
Really none of these are new challenges just the same infosec issues on newer technology/services.
"That which has been is that which will be,
And that which has been done is that which will be done.
So there is nothing new under the sun."
Yes, I have done research in this area, not just specific to web browsers. However, applications such as Facebook, Yahoo!, Live, Gmail and others may change their formats with a version upgrade. If not then the web browser may change with a new version.
I have found that doing testing like you have done works very well. RAM dumps are very small compared to imaging an entire drive. Determine what you want to Test, Document the steps you take, and then capture physical memory. The analysis step I use is with a hex editor to search for the data entered (ASCII) i.e. email address, password, and look for Hex data before, in between, or after. See if this is consistent. Even my documents that I have done may be outdated tomorrow with a new version/upgrade of an application/browser.
The important thing is that you can develop a hex or maybe even a text search term list to find specific data not only limited to a RAM dump, but also the hard drive.
Regards,
Chris Currier
"That which has been is that which will be,
And that which has been done is that which will be done.
So there is nothing new under the sun."
Cloud computing strangely reminds me of good ol' MultiVac
http//
Let there be light!
jaclaz