Google Chrome stores TOTP codes in plaintext #1464
Description
Describe the issue
- Start a new virgin copy of Google Chrome.
- Install Authenticator.cc.
- Open Authenticator, go to settings, go to Security, set a password.
- Click pencil and '+' to add a new TOTP code.
- Select Manual Entry.
- In Issuer type "Test:Test". In Secret type "deadbeefdeadbeef". Optionally set a user name.
- Press OK.
- In a terminal:
strings $HOME/.config/google-chrome/Default/Sync\ Extension\ Settings/bhghoamapcdpbohphigoooaddinpkbai/000003.log | grep Test
{"account":"Test","dataType":"OTPStorage","encrypted":false,"hash":"20a08da0-dc26-4226-a253-4d2291a7fa64","index":0,"issuer":"Test:Test","secret":"deadbeefdeadbeef","type":"totp"}u}
- Observe that the secret is available in plaintext even though we set an encryption password. This means that an attacker with access to your terminal could extract the TOTP secret, which is what the password is meant to prevent.
Browser
Chrome
Browser Version
140.0.7339.80
Extension Version
8.0.1