Last month, Google announced a much needed security enhancement to the OS X Chromium builds. The new feature provides Mac users with the option to require OS level authentication before access is granted to saved passwords.
This change comes on the heels of much criticism regarding the way Chrome stores passwords, credit card numbers, and other auto-complete data. Less discussed is that Chrome may also store tokens for Google accounts in plaintext.
The result of this design is that malware can target data stored by Chrome to gain token based access to a Google account even when the account is configured for 2-step verification.
Last month at the private JOINSEC security conference in London, I demonstrated that a Python script could extract tokens and upload them to a remote server, which then obtains the session cookies needed to access compromised Google accounts.
This specific risk arises when using a Google account to sign into the Chrome browser for synchronizing bookmarks, history, and other settings across devices.
After a user has done this, data stored within Chrome’s unencrypted preferences file can be used by an attacker to gain access to the Google account even if it was configured to use 2-step verification.
In order to demonstrate the risks from signing into the Chrome browser, I have prepared a video showing a proof-of-concept attack.
I will not be going into the technical details of this attack, but Adam Goodman did a nice article about weaknesses in how Chrome handles tokens. You can find his post on the Duo Security blog.
Until Google comes up with a better solution for protected storage within Chrome, I would recommend that users avoid using the Chrome sign-in feature.
As I’ve pointed out at BSides SF and DEFCON 21, tokens should be considered as sensitive as passwords and safeguarded to preserve the confidentiality and integrity of a Google account.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has also compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.
The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.
Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
* Show how security activities are enabling the business
* Balance security risk with business needs
* Continuously improve your extended enterprise security posture
Download the IT Security Budget Roundup for CIOs and CISOs
Each year, numerous industry research reports provide budget forecasting on expected spending for worldwide IT. Some add a focus within specific industries as well as technologies, but very few focus strictly on IT security.
Bringing a few of the most notable reports together provides a valuable roundup of information for IT operations, including forecasts of IT security spending.
This may be a time-saver for busy CIOs and CISOs and their teams who are seeking data to compare, support and defend possibly thin IT security budgets, or a needed increase to meet business priorities.
This report is organized to review what the research shows, business priorities and trends to tap, and strategies on how to defend your numbers.
Title image courtesy of ShutterStock