Snakeoil AcademyAttend PyCon AU 2021

Stealing Chrome cookies without a password

Alex

they/them

“Alex” (@mangopdf) does Red Teaming, recently completed Operation ACTUAL CRIMES, and can’t wait until they’re inevitably struck down by their own hubris.

They’re known for hacking a friend (with consent!) in Operation Luigi, being an organiser for purplecon.nz (a defensive, inclusive, pastel-purple security conference) and for writing dumb blog posts on mango.pdf.zone. They’re also known for exposing a privacy flaw in Tinder, and showing it was possible to make graphs of when your Facebook friends are awake.

At PyCon AU, they’ll be wearing their Sunday best emotionally, and hence or otherwise tryign their bset.

Stealing Chrome cookies without a password

buckle up kiddo we’re gonna commit digital sin If you steal someone’s Chrome cookies, you can log in to their accounts on every website they’re logged in to.

Normally you need the user’s password to do it, but I found a way to do it without the password. You just need to be able to execute code on their computer. It works by using Chrome’s Remote Debugging Protocol. To my knowledge this is the only way to extract a user’s Chrome cookies without their password, and by far the easiest way.

It involves plugging together several extremely forbidden and undocumented Chrome features, as well as figuring out how to speak the websocket protocol stealthily on a victim’s machine.

This talk is about how the technique was found, how it works, and what you can do with it.

Conference schedule listing