Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Obviously the first answer is \"a malicious application can do much worse than t

ID: 657101 • Letter: O

Question

Obviously the first answer is "a malicious application can do much worse than that." However, it seems like a really easy thing for an application to read your cookies, saved passwords, etc. from your browser settings that are saved in your browser's folder inside AppData (on Windows). It seems like a really hard thing for antivirus to detect, since AppData is supposed to have easy read/write permissions for all apps. Is there anything to stop software from silently reading this information alongside its normal function?

Explanation / Answer

This can very well be a concern. Different browsers handle it different ways. Chrome passwords on Windows are not stored in some file in AppData; they're stored using Windows's DPAPI, which means that they're encrypted with a key derived from your Windows password, so they're secure if someone doesn't have access to your Windows account. However, while it's not necessarily trivial for other programs running under your user account to access the passwords, it's by no means impossible to do so. The basic principle seems to have been "there actually is no secure way to have the passwords stored in memory (not on disk) and keep other programs from accessing them, so let's not pretend there is" -- thus, for a long time, it didn't prompt you for a master password at all (you were logged in, and that's your master password. Nowadays, they have implemented a Windows password prompt to view stored passwords; there's no technical benefit, but it's much harder to casually view someone else's passwords.

Firefox instead implemented its own crypto modules from scratch, starting from Netscape days (other browsers tend to use OS functions for crypto). Its passwords are encrypted by Firefox, with an optional master password that the user must enter before it will autofill passwords (and again each time you want to show all passwords). This is probably more secure when Firefox is not running -- the Chrome password DB is open to all programs running as your user, but the Firefox one is only open when Firefox is actually running.

However, when Firefox is running, any program running as you can see what it has in memory. Because it doesn't prompt for a master password each and every time you need a password filled, other programs can then read the password DB because you decrypted it for Firefox. They can do this until Firefox is closed.

Related Questions

Obtain a copy of the Comprehensive Annual Financial Report (CAFR) for the State
Question #2422218
Obtain a copy of the Comprehensive Annual Financial Report (CAFR) for the State
Question #2422369
Obtain a copy of the Comprehensive Annual Financial Report (CAFR) for the State
Question #2424238
Obtain a data set that has one dependent variable and at least several independe
Question #3237271
Obtain a data set that has one dependent variable and at least several independe
Question #3251990
Obtain a motherboard . Using a drawing application of your choice, sheets of pap
Question #3588037
Obtain a prepared slide of the human scalp, and study it carefully under the mic
Question #3475024
Obtain a recent state or local government annual operating budget from a library
Question #2605113

Navigate

Previous
Obviously the correct answer for this question is already shown. I don\'t unders
Next
Obviously, despite saying that it\'s one world, there are technical limitations

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.