Dvorak: A Browser Credential Dumping Malware

Jos

e Areia

1,2 a

, Bruno Santos

1,2

and M

ario Antunes

1,3 b

School of Management and Technology (ESTG), Polytechnic of Leiria, Leiria, Portugal

Computer Science and Communication Research Centre (CIIC), Polytechnic of Leiria, Leiria, Portugal

INESC TEC, Center for Research in Advanced Computing Systems, Porto, Portugal

Keywords:

Web Security, Browser Password Managers, Malware Development, Network Security, Security Analysis.

Abstract:

Memorising passwords poses a signiﬁcant challenge for individuals, leading to the increasing adoption of

password managers, particularly browser password managers. Despite their beneﬁts to users’ daily routines,

the use of these tools introduces new vulnerabilities to web and network security. This paper aims to investigate

these vulnerabilities and analyse the security mechanisms of browser-based password managers integrated

into Google Chrome, Microsoft Edge, Opera GX, Mozilla Firefox, and Brave. Through malware development

and deployment, Dvorak is capable of extracting essential ﬁles from the browser’s password manager for

subsequent decryption. To assess Dvorak functionalities we conducted a controlled security analysis across

all aforementioned browsers. Our ﬁndings reveal that the designed malware successfully retrieves all stored

passwords from the tested browsers when no master password is used. However, the results differ depending

on whether a master password is used. A comparison between browsers is made, based on the results of the

malware. The paper ends with recommendations for potential strategies to mitigate these security concerns.

1 INTRODUCTION

Prioritising web security is crucial, and integrating

password managers into browsers can signiﬁcantly

strengthen defence mechanisms. Despite the vari-

ous challenges that passwords currently pose, they re-

main a widely used form of authentication on the web.

Passwords are typically difﬁcult for attackers to guess

without any prior knowledge of the user (Dell’Amico

et al., 2010), and paradoxically, using the same logic,

it can be equally challenging for users to remember

complex passwords. Consequently, users often resort

to creating weak and short passwords (Gabe Turner,

2023). In fact, a common behaviour among users is

the tendency to reuse the same password on multiple

websites Since this behaviour signiﬁcantly compro-

mises the web security of users, browsers have taken

steps to address it by implementing their own pass-

word managers. These password managers can gen-

erate complex passwords, store them securely, and

automatically ﬁll in log-in forms. However, pass-

word managers are not immune to attacks (Oesch and

Ruoti, 2020), especially browser-based ones (Silver

https://orcid.org/0009-0000-0595-0468

https://orcid.org/0000-0003-3448-6726

et al., 2014). In 2023, a report (Gabe Turner, 2023)

was released, focusing on a survey regarding the util-

isation of password managers. The study, which re-

ceived responses from 1500 U.S. residents, concluded

that the number of people using password managers is

on the rise. In 2022, the adoption rate was ≈ 21%,

while in 2023, it increased to ≈ 34%, indicating a

growth of ≈ 13%. Additionally, the article reports

that ≈ 28% of people stored their passwords in the

browser in 2023, compared to ≈ 23% in 2022. This

trend appears to be consistently growing.

In this paper, we delve into browser-based pass-

word managers integrated into widely used platforms

such as Google Chrome, Microsoft Edge, Opera GX,

Mozilla Firefox, and Brave. This paper seeks to

unearth vulnerabilities and explore the correspond-

ing security mechanisms. By using specialised mal-

ware capable of extracting important ﬁles from each

browser’s password manager, we conduct controlled

experiments. The created malware was able to suc-

cessfully breach the defences of the tested browsers

and extract all stored passwords in cases where a

master password was not utilised. Interestingly, the

results showed differences depending on whether a

master password was used. To augment the com-

prehensiveness of our research, we compared the re-

434

Areia, J., Santos, B. and Antunes, M.

Dvorak: A Browser Credential Dumping Malware.

DOI: 10.5220/0012731300003767

Paper published under CC license (CC BY-NC-ND 4.0)

In Proceedings of the 21st International Conference on Security and Cryptography (SECRYPT 2024), pages 434-441

ISBN: 978-989-758-709-2; ISSN: 2184-7711

sults of malware across different browsers. This ex-

amination revealed important differences in the secu-

rity of each platform, providing valuable insights for

users, developers, and security experts. Our investiga-

tion aimed to understand the security measures imple-

mented in password managers beyond just identifying

vulnerabilities. After uncovering these ﬁndings, our

paper concludes with recommendations for potential

remediation strategies that can be implemented to ad-

dress the security concerns that have been identiﬁed.

This paper also aims to serve as a guiding compass,

presenting insights and suggestions to strengthen the

security of browser-based password management.

Contributions of this paper are summarised as

follows. To the best of our knowledge, this paper

is the ﬁrst attempt to introduce a malware capable

of gathering the necessary ﬁles associated with the

Browser-based Password Manager (BPM) of ﬁve dif-

ferent browsers and decrypting them, thereby gaining

access to users’ credentials. To promote reproducible

research, the code is available on GitHub repository

(not shown for blind review), as well as a video

demonstrating the malware usage. In comparison to

other studies (refer to Section 2), the paper stands out

as the sole effort entirely focused on addressing the

security concerns of BPM. In addition to highlighting

these concerns, we employ a comprehensive toolkit

to decrypt and gain access to passwords stored across

ﬁve different browsers: Google Chrome, Microsoft

Edge, Opera GX, Mozilla Firefox, and Brave. The

paper also addresses open challenges and provides so-

lutions to the security concerns identiﬁed, which can

enhance the security of users utilising BPM. These

solutions can be implemented by browser developers

to improve user security.

The paper is organised as follows. Section 2 pro-

vides a detailed background and reviews related work

in the literature. Section 3 presents all the work de-

veloped within this research. Section 4 discusses the

results obtained within this research and provides a

brief discussion of the ﬁndings. Section 5 focuses on

the open challenges and future work inherent in this

theme. Finally, Section 6 concludes the paper with

pointers to future research directions.

2 BACKGROUND

We begin by reviewing essential background informa-

tion related to browser credential storage, cryptogra-

phy employed in this context, types of attacks, partic-

ularly initial access attacks aimed at gaining access to

a user’s computer, and exﬁltration techniques aimed

at stealing user’s data.

Web browsers, such as Google Chrome, Mozilla

Firefox, Microsoft Edge, Opera GX, and Brave, are

applications designed to retrieve and display web

pages, facilitating users’ access to web content (Nel-

son et al., 2020). Occasionally, users need to log in

with their credentials to view personal content. These

browsers typically store website credentials, encom-

passing usernames and passwords, with the user’s per-

mission (Gasti and Rasmussen, 2012), thereby reliev-

ing users of the burden of memorising them for fu-

ture use. This encapsulates the principle of any pass-

word manager (Yang et al., 2014): securely storing

user passwords so that users need not remember them

for subsequent use.

Another important concept when talking about

password managers is the master/primary password,

which serves as a single password granting access

to all the credentials stored in the password manager

(Vossaert et al., 2014). Therefore, the creation of the

master password should adhere to secure standards.

Firefox already gives the option of utilising a master

password to protect your credentials. However, Fire-

fox does not actively encourage users to use a master

password, which may lead to lower adoption rates of

this security feature (Gabe Turner, 2023). Chromium-

based browsers do not have the option to set up a mas-

ter password, but they use the computer as the master

password. This means that the decryption of the cre-

dentials can only occur in the same computer as the

encryption. This type of master password is weak if

the computer is compromised.

Adversaries can obtain credentials from web

browsers by accessing and decrypting ﬁles speciﬁc to

the target browser (Luevanos et al., 2017). Google

Chrome, Microsoft Edge, Opera GX, and Brave, are

all Chromium-based browsers. Therefore, the ﬁle lo-

cations and the type of storage used for storing cre-

dential values are similar among all. The creden-

tial database location is the default proﬁle folder of

each browser, it is named Login Data and is in the

SQLite 3 format (Muslim et al., 2020). This database

can be opened with a simple database browser, but

the stored passwords are encrypted. The username

and password can be found in the table logins under

username value and password value respectively.

The URL for the respective website can be found in

the same table under origin url and action url. A

key to decrypt the passwords is required and is located

in the parent directory of the database, in a JSON

ﬁle named Local State (Mistele, 2021), which con-

tains the base64-encoded key required to decrypt the

browser-saved credentials (Deneut, 2022). This de-

cryption key is inside os crypt and with the name

encrypted key.

Dvorak: A Browser Credential Dumping Malware

435

Mozilla Firefox stores its credentials in a JSON

ﬁle named logins.json, and the key required to

decrypt this information is stored in a SQLite 3

database named key4.db (Mistele, 2021). The

username, password and the respective URL are

stored in the JSON ﬁle inside logins with the

names encryptedUsername, encryptedPassword

and formSubmitURL respectively. The decryption

key inside the database can be found in the table

metaData under password. It is important to note

that the Firefox versions prior to 75 do not have the

ﬁle key4.db, instead it uses the ﬁle key3.db (Cl

evy,

2013).

Encryption is a way of permutation data so that

only authorised parties can understand the informa-

tion (Stallings, 2017). Encrypting and decrypting data

requires cryptographic keys and a cryptographic algo-

rithm (Menezes et al., 2018). Normally, only autho-

rised parties should have the key to decrypt the data.

If that key is compromised, the encrypted data may

also be compromised. Encrypted data can be com-

promised if the key and the algorithm utilised, in the

encryption, are known (Shabtai et al., 2012). In the

context of browser-stored credentials, most browsers

store encrypted data and the decryption key locally in

the user proﬁle directory (Yang et al., 2014).

Chromium-based browsers encrypt credentials us-

ing the symmetric algorithm AES (Lawrence, 2020;

Dan Wesley, 2023) and they encrypt the decryption

key using the CryptUnprotectData function. This

function is part of the Win32 API, used in C++,

the main programming language used to create the

Chromium-based browsers (Ashcraft, 2022) (Qian

et al., 2020). CryptUnprotectData was made avail-

able by Microsoft and is only utilised in Windows

(Sajid et al., 2021). This function is characterised by

the requirement that only a user with identical login

credentials to the one who encrypted the data can de-

crypt it (Ashcraft, 2022). Furthermore, both the en-

cryption and decryption processes must occur on the

same computer. Firefox uses the AES algorithm for

the encryption of the credentials and the 3DES algo-

rithm for the encryption of the decryption key (Zhao

and Yue, 2013).

To gain access to a machine, adversaries employ

various initial access techniques. Examples of these

attacks include phishing attachment (Alabdan, 2020)

and replication through removable media (Muslim

et al., 2020). A phishing attachment attack is a

type of social engineering attack that employs intelli-

gent emails with malware attachments. These emails

exploit human behaviour to make the receiver exe-

cute the malware attachment. This malware attach-

ment requires user execution for attacker access (Al-

Mohannadi et al., 2016). Replication through remov-

able media works by relying on the physical introduc-

tion of a removable media, with malware, into a de-

vice. The mentioned media can be a USB ﬂash drive

or any other device that connects to the system (Nis-

sim et al., 2017). This technique targets untrained in-

dividuals in the ﬁeld of cybersecurity (Tetmeyer and

Saiedian, 2010).

For data exﬁltration, which involves the unautho-

rised transfer of sensitive information from a system

or network, breaching conﬁdentiality and compromis-

ing data integrity (Alshamrani et al., 2019), adver-

saries can employ various techniques. These tech-

niques may include trafﬁc duplication (Al-Mhiqani

et al., 2020) and exﬁltration to cloud storage (Ullah

et al., 2018). Another method used is through web-

hooks, which are HTTP-based callback functions that

allow communication between two APIs (Biswas,

2021). Attackers can exploit these webhooks to ex-

ﬁltrate and pilfer user data without leaving any trace

of their identity (Alshamrani et al., 2019). A sim-

ple HTTP server listening to HTTP POST requests is

also commonly used for exﬁltration (Al-Bataineh and

White, 2012).

2.1 Literature Review

Numerous researchers have dedicated their efforts to

understanding and conducting security analyses of

various password managers, encompassing both non-

browser-based and a few browser-based options. This

subsection aims to present some of the works related

to this topic.

In 2013, knowledge-based, traditional and new

password attacks were presented (Ciampa, 2013).

Additionally, the author conducted a social study on

user preferences for BPM. The results led to the con-

clusion that within a group of students (N = 166),

the majority preferred to use their web browser as a

password manager over alternatives such as LastPass

(Ciampa, 2013). However, users did not highly rate

using web browser managers as an activity that im-

proved the security of their accounts. Instead, they

perceived themselves as using strong passwords and

having sufﬁcient memory to store all their passwords.

In the same year, research focusing on BPM

was conducted (Zhao and Yue, 2013). The authors

analysed four different browsers: Firefox, Google

Chrome, Opera, and Safari. In their analysis, they

described how browsers store credentials, including

the ﬁles used for storage and the encryption methods

employed, and highlighted the signiﬁcant vulnerabil-

ity in the ways browsers store credentials (Zhao and

Yue, 2013). Consequently, they proposed a cloud-

SECRYPT 2024 - 21st International Conference on Security and Cryptography

436

Table 1: A Literature Work Comparison: Assessing Malware Development, Interoperability Analysis, Browser Analysis,

Vulnerability Analysis, Proposed Countermeasures, and Mapping Countermeasure to Attack Vectors.

Works Reviewed

Malware

Development

Interoperability

Analysis*

Browser Analysis

(N ⩾ 3)

Vulnerability

Analysis

Proposed

Countermeasures

Mapping Countermeasures

To Attack Vectors

(Ciampa, 2013) - - - - ✓ -

(Zhao and Yue, 2013) - - ✓ ✓ ✓ ✓

(Yang et al., 2014) - - - ✓ ✓ ✓

(Oesch and Ruoti, 2020) - - - ✓ ✓ -

(Muslim et al., 2020) ✓ - - ✓ ✓ ✓

Our Work ✓ ✓ ✓ ✓ ✓ ✓

*By interoperability, we mean the ability to decrypt the password database on an external computer that is not the one that encrypted the passwords.

based storage-free BPM where protected data would

be entirely stored in the cloud, eliminating the need

for anything to be stored on a user’s computer.

In 2014, literature advocating for cloud-based

password managers utilising privacy-preserving bio-

metrics was published (Yang et al., 2014). In

their research, they exposed vulnerabilities in various

browsers, particularly concerning the local storage of

information. They argue that this method of storing

credentials is highly insecure and proposed a cloud-

based password manager that utilises two-factor au-

thentication, comprising a master password and bio-

metric authentication. Both authentication factors are

stored locally on the client’s computer, enhancing in-

herent privacy preservation.

In 2020 an analysis of the most common pass-

word managers, such as KeePassX, KeePassXC, Bit-

Warden, and LastPass, along with some BPM was

conducted (Oesch and Ruoti, 2020). They examined

various aspects of these password managers, includ-

ing password strength, randomness, storage, vault en-

cryption, metadata privacy, and the auto-ﬁll system.

The authors also offered recommendations based on

their conclusions, advising against certain password

managers, providing suggestions for improving ex-

isting password managers, and identifying areas for

future research. These include exploring safer aut-

oﬁll systems, implementing improved master pass-

word policies, and developing ﬁlters to identify weak

passwords (Oesch and Ruoti, 2020).

In that same year, a paper presenting the imple-

mentation and analysis of a USB password stealer us-

ing PowerShell in Google Chrome and Firefox was

introduced (Muslim et al., 2020). Similar to other

studies, authors analysed and exposed vulnerabilities

inherent in BPM and attempted to exploit them. With

success, and aided by various Arduino hardware, they

were able to steal credentials from both aforemen-

tioned browsers. The attack involved plugging the

USB stick into the victim’s computer, initialising the

PowerShell script, downloading the necessary mal-

ware from their GitHub repository, gathering all the

ﬁles, decrypting them on the victim’s computer, and

ﬁnally sending the ﬁles to their Gmail account (Mus-

lim et al., 2020). The results indicated that this pro-

cess took an average of 14 seconds before sending it

to the author’s email.

The studies presented in this literature review en-

hance the community’s comprehension of password

manager security and their adoption among users.

These studies not only furnished crucial insights into

the concepts but also proposed solutions for address-

ing future mitigation within the respective domains.

Furthermore, to ascertain the novelty and distinctive

contribution of our work, we conducted a thorough

analysis of related reviews, comparing them with ours

in terms of objectives and ﬁndings (Table 1).

3 MATERIALS AND METHODS

This section shows the implementation process of the

Dvorak developed which tries to gather and decrypt

browser credentials to test the safeness of storing cre-

dentials in the most common browsers. To conduct

the test, two scripts were created: one to gather en-

crypted credentials and exﬁltrate them, and the other

to attempt decryption. The Dvorak will be made up

of these two Python scripts. Figure 1 illustrates the

attack scenario conducted in this research.

The objective of the test is to evaluate, for each

browser, how hard it is to gather the encrypted cre-

dentials and, if possible, how hard it is to decrypt

them. An attempt to decrypt credentials protected

by the master password will also be made. Firefox

protects the credentials with a master password set

by the user, while Chromium-based browsers relies

upon the computer as the master password. Dvo-

rak was created in a controlled environment and was

tested locally in compliance with law and ethical

guidelines. For the creation and testing of the mal-

ware, a single Windows 11 machine was utilised

along with the programming language Python. It

is worth noting that Windows Defender was always

Dvorak: A Browser Credential Dumping Malware

437

Attacker

Victim's Computer

Sending Credential

Information Gathered

Dvorak Initialisation

Information Gathering

Sends a Decoy

Attacker's Computer

Plain Text Passwords

Decrypt Information

Attacker's

Server

Fetches

Information

Figure 1: A Comprehensive Dvorak Attack Flow for Ac-

quiring User’s BPM Credentials.

active at the time of testing. Furthermore, admin-

istrator privileges were not needed to execute the

Python script. The browsers used for testing were:

Google Chrome version 121.0.6167.161, Microsoft

Edge version 121.0.2277.112, Mozilla Firefox ver-

sion 122.0.1, Opera GX version 106.0.4998.76 and

Brave version 1.62.162. The versions used in the test

were the most recent versions available at the time of

writing this paper. The complete Dvorak workﬂow

is shown in Figure 2, which is divided into ﬁve dif-

ferent phases: (I) initial access, (II) initialisation and

information gathering, (III) compress and deliver in-

formation, (IV) receive and decrypt the information,

and (V) gain access to information in plain text.

In the ﬁrst phase (I) the Dvorak needs to be in-

ﬁltrated into the victim’s computer. The next step

(II) for the malware would be to obtain the encrypted

browser credentials. To gather that information, we

developed a script that collects this type of informa-

tion from the aforementioned browsers. This infor-

mation is scattered across multiple encrypted ﬁles (re-

fer to Section 2). The script must know which operat-

ing system the victim is using so that the ﬁle locations

can be adjusted accordingly.

For transferring the ﬁles to the attacker’s com-

puter, a webhook could have been employed; how-

ever, for simplicity’s sake, a basic local HTTP server

implemented with Flask, in Python, was utilised.

When exﬁltrating the encrypted ﬁles, a potential issue

arises as some ﬁles from Chromium-based browsers

share the same name. Consequently, in the subse-

quent phase (III), the solution was to address this

by creating a compressed archive containing the en-

crypted ﬁles for each browser. These compressed

Initial Access

Plain Text Passwords

(I)

(IV)

Mozilla Firefox

"logins.json"

"key4.db"

Chromium-Based

"Login Data"

"Local State"

Receive Information

Decrypt Information

Compress Information

Send Information

(III)

Dvorak Initialisation

Information Gathering

(II)

(V)

Figure 2: The Structured Dvorak Framework in Five Key

Phases: (I) Initial Access, (II) Initialisation and Information

Gathering, (III) Compress and Deliver Information, (IV)

Receive and Decrypt the Information, and (V) Gain Access

to Information in Plain Text.

archives were exﬁltrated via a POST request to the

local HTTP server.

With the encrypted ﬁles in hand, the next step (IV)

is to decrypt the ﬁles to get the credentials in plain

text. A script was also developed for this purpose,

which was divided into Chromium-based decryption

and Firefox decryption due to the variation in the de-

cryption process for each browser.

The Chromium decryption process is divided into

three different parts: (1) getting the encrypted secret

key from the Local State ﬁle and decrypting it with

the CryptUnprotectData function, (2) getting the

SECRYPT 2024 - 21st International Conference on Security and Cryptography

438

URL, the username and the encrypted password from

the Login Data ﬁle, and (3) use the decrypted secret

key to decrypt the password using the AES algorithm

in Galois/Counter Mode (GCM) mode.

Firefox’s decryption process is similar but uses

different algorithms to do the same. This process is

also divided into three different parts: (1) getting the

encrypted secret key from the key4.db ﬁle and de-

crypting it with the AES algorithm in Cipher Block

Chaining (CBC) mode, (2) getting the URL and the

encrypted credentials from the logins.json ﬁle, and

(3) use the decrypted secret key to decrypt the pass-

word and username with the DES3 algorithm in CBC

mode. Following the decryption process, Dvorak en-

ters its ﬁnal phase (V), during which the attacker gains

access to the passwords in plain text, provided that the

decryption process is successful.

The script was designed to operate on Windows,

and additional development and research would be

necessary to adapt it to other operating systems. The

malware’s development drew inspiration from two re-

lated works (Cl

evy, 2013; Yicong, 2020). By success-

fully decrypting the credentials, we demonstrate the

feasibility of accessing browser-stored credentials.

4 RESULTS AND DISCUSSION

This section discusses the ﬁndings of the research re-

garding the performance of the developed malware.

The goal was to evaluate the difﬁculty of obtain-

ing and decrypting the credentials stored in the BPM

while simultaneously assessing the security implica-

tions of storing credentials in browsers. For this pur-

pose, a custom malware designed to steal saved user

credentials was employed. Dvorak successfully re-

trieved saved login information from the aforemen-

tioned web browsers when no master password was

utilised. When a master password is utilised in

Firefox, the malware is incapable of decrypting the

credentials. Additionally, because Chromium-based

browsers use the computer as the master password,

the results indicate that it is only possible to decrypt

the credentials if the computer and the user are the one

that encrypts the information. Table 2 presents the ob-

tained results divided into four different topics: gath-

ering information, the decryption process without a

master password, system interoperability and decryp-

tion with a master password. A check mark indicates

successful completion of the task.

The results of this research indicate that the mal-

ware successfully extracted usernames, passwords,

and their respective URLs from all the tested browsers

when no master password was used. The browser’s

encryption for saving credentials locally was compro-

mised. This means that the encryption used for the

secret key, which is used to encrypt the credentials,

was broken. When a master password was used, Dvo-

rak could not decrypt the Firefox credentials. How-

ever, Dvorak had success in decrypting Chromium-

based credentials, meaning that using the computer as

a master password has no security effect if the com-

puter is invaded. It should be noted that all of this test-

ing was done locally, which means that all the compo-

nents utilised are saved locally on the machine, facil-

itating the process. The combination of these results

shows that credentials saved in browsers are suscepti-

ble to being stolen and decrypted. While saving cre-

dentials locally is not inherently insecure, it becomes

so when there is no master password, set by the user,

protecting the key and credentials.

During the development of this malware, we dis-

covered that the Firefox-based decryption process

was slightly more complex than the Chromium-based

decryption process, as it was manually crafted with-

out relying on any pre-existing package, such as AES,

which is utilised within the Chromium-based decryp-

tion process. Furthermore, Chromium-based creden-

tials can only be decrypted in the same computer, and

by the same user, that encrypted them. However, this

does not change the fact that the credentials were still

gathered and decrypted when no master password was

used. In terms of saving local credentials, Firefox is

more secure than the other mentioned browsers, but

only if a master password is set by the user.

5 OPEN CHALLENGES

Based on our analysis, we have identiﬁed the follow-

ing open challenges and areas for future research:

Usage of Master Passwords: BPM should ensure the

conﬁdentiality of credentials, even in the event of a

compromised computer. However, while ﬁxes for this

security issue are already available, browsers do not

encourage or prioritise their use. One straightforward

solution is to employ a master password, also known

as a primary password, to access stored credentials.

This master password should be strong and not stored

anywhere on the computer, as it serves as the key to

unlocking all stored credentials. This approach can

help maintain the conﬁdentiality of the user’s creden-

tials, even if the computer is compromised. Fire-

fox already implements a master password system,

however, this option is not widely advertised to users

and may be unknown to many. If the master pass-

word is set, then the developed malware, Dvorak, can-

not decrypt Firefox stored credentials. Chromium-

Dvorak: A Browser Credential Dumping Malware

439

Table 2: Dvorak Benchmark Results: Assessing Performance in Information Gathering, Decryption Process, and System

Interoperability across Google Chrome, Mozilla Firefox, Opera GX, Microsoft Edge, and Brave.

Browser

Information

Gathering

Decryption

W/o Master Password

System

Interoperability*

Decryption

W/ Master Password

Google Chrome ✓ ✓ - ✓

Mozilla Firefox ✓ ✓ ✓ -

Microsoft Edge ✓ ✓ - ✓

Opera GX ✓ ✓ - ✓

Brave Browser ✓ ✓ - ✓

*By interoperability, we mean the ability to decrypt the password database on an external computer that is not the one that encrypted the passwords.

based browsers use the computer as a master pass-

word, which is not a good security measure in case of

malware invasion on the computer. It would be bene-

ﬁcial for browsers to prompt users to set up a master

password by default before storing any credentials in

the browser.

Usage of Two-Factor Authentication: In addition to

the usage of a master password, considering another

authentication mechanism for accessing the creden-

tials is advisable. However, implementing two-factor

authentication (2FA), such as SMS texts or voice-

based tokens, while enhancing the security of the

saved credentials, may signiﬁcantly reduce the usabil-

ity of the password manager. If implemented, we rec-

ommend that 2FA should not be required in all cases.

Cloud Migration: Browsers should consider saving

the secret key used in the encryption/decryption pro-

cess of credentials in the cloud. Access to this key

should indeed only be possible using the master pass-

word mentioned earlier, and the 2FA for even bet-

ter security. If users wish to save credentials in the

browser, they would need to log into their proﬁle and

deﬁne the master password. Consequently, if a com-

puter is compromised, the key would be inaccessi-

ble to malware attempting to decrypt the credentials.

While this approach may slightly decrease usability,

its implementation would greatly enhance security.

6 CONCLUSION

In the modern world, where information plays a cru-

cial role, ensuring maximum security is imperative.

Despite their inherent problems, passwords remain

the most widely used method for achieving a trade-off

between ease of use and ensuring a minimum level

of security. This makes them the predominant form

of authentication in various applications. However,

concerns persist regarding how users store their pass-

words securely. While password managers offer a so-

lution, BPM face challenges in securely storing data

locally. In this paper, we conducted a comprehen-

sive review of how BPM store their credentials and

proposed the potential implementation of various se-

curity measures to grant credential safeness. Addi-

tionally, we introduced a new malware, Dvorak, ca-

pable of gathering the necessary information of ﬁve

different browsers to decrypt the credential databases

of BPM and access the user’s credentials in plain text.

We also advocate for a thorough review of different

methods for password encryption across all browsers.

Finally, we conclude with the importance of ongo-

ing research to evaluate the progress of both password

managers and BPM, with a focus on enhancing secu-

rity and usability aspects.

REFERENCES

Al-Bataineh, A. and White, G. (2012). Analysis and detec-

tion of malicious data exﬁltration in web trafﬁc. In

2012 7th International Conference on Malicious and

Unwanted Software, pages 26–31.

Al-Mhiqani, M. N., Ahmad, R., Zainal Abidin, Z., Yassin,

W., Hassan, A., Abdulkareem, K. H., Ali, N. S., and

Yunos, Z. (2020). A Review of Insider Threat De-

tection: Classiﬁcation, Machine Learning Techniques,

Datasets, Open Challenges, and Recommendations.

Applied Sciences, 10(15):5208.

Al-Mohannadi, H., Mirza, Q., Namanya, A., Awan, I.,

Cullen, A., and Disso, J. (2016). Cyber-Attack Mod-

eling Analysis Techniques: An Overview. In 2016

IEEE 4th International Conference on Future Internet

of Things and Cloud Workshops (FiCloudW), pages

69–76.

Alabdan, R. (2020). Phishing Attacks Survey: Types,

Vectors, and Technical Approaches. Future Internet,

12(10):168.

Alshamrani, A., Myneni, S., Chowdhary, A., and Huang,

D. (2019). A Survey on Advanced Persistent Threats:

Techniques, Solutions, Challenges, and Research Op-

portunities. IEEE Communications Surveys & Tutori-

als, 21(2):1851–1877.

Ashcraft, A. (2022). CryptUnprotectData function. Techni-

cal report, Microsoft Learn.

Biswas, N. (2021). Using Webhooks at the Site. In Biswas,

N., editor, Advanced Gatsby Projects, pages 133–147.

Apress, Berkeley, CA.

SECRYPT 2024 - 21st International Conference on Security and Cryptography

440

Ciampa, M. (2013). A Comparison of User Preferences for

Browser Password Managers. Journal of Applied Se-

curity Research, 8(4):455–466.

evy, L. (2013). Firepwd: An open source tool to decrypt

Mozilla protected passwords.

Dan Wesley, Jeff Borsecnik, S. C. (2023). Microsoft Edge

password manager security.

Dell’Amico, M., Michiardi, P., and Roudier, Y. (2010).

Password Strength: An Empirical Analysis. In 2010

Proceedings IEEE INFOCOM, pages 1–9. ISSN:

0743-166X.

Deneut, T. (2022). Security: General security scripts.

Gabe Turner, Aliza Vigderman, C. B. (2023). Pass-

word Manager Industry Report and Market Outlook

in 2023.

Gasti, P. and Rasmussen, K. B. (2012). On the Security of

Password Manager Database Formats. In Foresti, S.,

Yung, M., and Martinelli, F., editors, Computer Se-

curity – ESORICS 2012, Lecture Notes in Computer

Science, pages 770–787, Berlin, Heidelberg. Springer.

Lawrence, E. (2020). Local Data Encryption in Chromium.

Luevanos, C., Elizarraras, J., Hirschi, K., and Yeh, J.-h.

(2017). Analysis on the Security and Use of Password

Managers. In 2017 18th International Conference on

Parallel and Distributed Computing, Applications and

Technologies (PDCAT), pages 17–24.

Menezes, A. J., Van Oorschot, P. C., and Vanstone, S. A.

(2018). Overview of cryptography. In Handbook of

Applied Cryptography, pages 35–39. CRC press.

Mistele, K. (2021). Stealing Saved Browser Passwords:

Your New Favorite Post-Exploitation Technique.

Muslim, A. A., Budiono, A., and Almaarif, A. (2020).

Implementation and Analysis of USB based Pass-

word Stealer using PowerShell in Google Chrome

and Mozilla Firefox. In 2020 3rd International Con-

ference on Computer and Informatics Engineering

(IC2IE), pages 421–426.

Nelson, R., Shukla, A., and Smith, C. (2020). Web Browser

Forensics in Google Chrome, Mozilla Firefox, and the

Tor Browser Bundle. In Zhang, X. and Choo, K.-

K. R., editors, Digital Forensic Education, Studies in

Big Data, pages 219–241. Springer International Pub-

lishing, Cham.

Nissim, N., Yahalom, R., and Elovici, Y. (2017). USB-

based attacks. Computers & Security, 70:675–688.

Oesch, S. and Ruoti, S. (2020). That was then, this is now:

A security evaluation of password generation, storage,

and autoﬁll in Browser-Based password managers. In

29th USENIX Security Symposium (USENIX Security

20), pages 2165–2182. USENIX Association.

Qian, C., Koo, H., Oh, C., Kim, T., and Lee, W. (2020).

Slimium: Debloating the Chromium Browser with

Feature Subsetting. In Proceedings of the 2020 ACM

SIGSAC Conference on Computer and Communica-

tions Security, CCS ’20, pages 461–476, New York,

NY, USA. Association for Computing Machinery.

Sajid, M. S. I., Wei, J., Abdeen, B., Al-Shaer, E., Islam,

M. M., Diong, W., and Khan, L. (2021). SODA: A

System for Cyber Deception Orchestration and Au-

tomation. In Proceedings of the 37th Annual Com-

puter Security Applications Conference, ACSAC ’21,

pages 675–689, New York, NY, USA. Association for

Computing Machinery.

Shabtai, A., Elovici, Y., and Rokach, L. (2012). Introduc-

tion to Information Security. In Shabtai, A., Elovici,

Y., and Rokach, L., editors, A Survey of Data Leakage

Detection and Prevention Solutions, SpringerBriefs in

Computer Science, pages 1–4. Springer US, Boston,

MA.

Silver, D., Jana, S., Boneh, D., Chen, E., and Jackson, C.

(2014). Password managers: Attacks and defenses. In

23rd USENIX Security Symposium (USENIX Security

14), pages 449–464, San Diego, CA. USENIX Asso-

ciation.

Stallings, W. (2017). Cryptography and Network Security:

Principles and Practice. Prentice Hall Press, USA,

7th edition.

Tetmeyer, A. and Saiedian, H. (2010). Security Threats and

Mitigating Risk for USB Devices. IEEE Technology

and Society Magazine, 29(4):44–49.

Ullah, F., Edwards, M., Ramdhany, R., Chitchyan, R.,

Babar, M. A., and Rashid, A. (2018). Data exﬁltra-

tion: A review of external attack vectors and counter-

measures. Journal of Network and Computer Appli-

cations, 101:18–54.

Vossaert, J., Lapon, J., and Naessens, V. (2014). Out-of-

Band Password Based Authentication towards Web

Services. In De Strycker, L., editor, ECUMICT 2014,

Lecture Notes in Electrical Engineering, pages 181–

191, Cham. Springer International Publishing.

Yang, B., Chu, H., Li, G., Petrovic, S., and Busch, C.

(2014). Cloud Password Manager Using Privacy-

Preserved Biometrics. In 2014 IEEE International

Conference on Cloud Engineering, pages 505–509.

Yicong, J. O. (2020). Decrypt chrome passwords.

Zhao, R. and Yue, C. (2013). All your browser-saved pass-

words could belong to us: a security analysis and a

cloud-based new design. In Proceedings of the third

ACM conference on Data and application security and

privacy, CODASPY ’13, pages 333–340, New York,

NY, USA. Association for Computing Machinery.

Dvorak: A Browser Credential Dumping Malware

441