With passwords stolen in seconds, Chrome’s security measures are a bummer.

On weekend mornings, Tony and I are sleeping in a warm nest, enjoying the holiday after working overtime for seven days on National Day.

I was suddenly woken up by a friend’s phone call.

Wake up, your number is gone ▼

? ? ? What is the situation, so that friends who have not been in contact for many years suddenly contact me.

Click on this picture and take a closer look, my dear, it is actually a blackmail letter to me.

Also sent it to my friend’s account?

This hacker is “aggressive”. Not only does he claim to have hacked into my computer equipment, but also my microphone, keyboard, and monitor are all under his control.

Not only that, but I also have the ability to “add some material” to my various information, make a video, and then send it to my friends for appreciation .

Um? ? ? Am I going to die so easily?

At this moment, the banner “Someone in the dream town of Angel Village was scammed by extortion mail ” has passed through my mind.

But I, Tony, will never take a dog easily. This big hacker is also very gentle, and he also gave me a chance to escape from him.

Just spending $1,250 worth of Bitcoin would give me a clean break and regain my power to breathe in Angel Village.

Otherwise, I will leave without taking the regret medicine.

By the way, this eldest brother took control of my computer in order to prove that he really knew me, and attached a screenshot of my computer at that time in the email.

Before leaving, he left a very domineering sentence:

Ransom 1250 knives. . . It didn’t cost me that much to sell me.

Don’t be afraid of being smashed to pieces, you must leave your innocence in the world! , my chat records that I have treasured for many years cannot be seen by others.

Such an expensive blackmail, or else. . . Or reinstall the system.

So then again, how did I get caught? To die is to die to understand.

After a little thought, I decided to start recalling the day mentioned in the email. . .

During that time, in order to help the poor reviewer find information, it seems that he did download a software that should not be downloaded, and ran this unfamiliar program .

Blame the poor reviewers! ! !

However, the anti-virus software in my computer is also very clever, and an error is reported on the spot. (No screenshots, brain supplements are recommended)

Looking at the risk warning that the computer exploded, no matter how stupid I was, I reacted immediately, and terminated the process on the spot + removed the root and deleted the software + shook a foreign aid to help solve the computer problem together.

One thing to say, the 360 ​​speed version is okay to use

At that time, I felt that I had cleaned up enough, and I let things come to an end.

Unexpectedly, my Sony account has been tried to log in these days.

But PS5 doesn’t play too much + work is too busy,

I didn’t take it to heart▼

Combined with the fact that I was reminded by a friend that it was a problem with my mailbox, I also found my own mailbox.

Sure enough, I actually received a similar email – only blocked by spam.

And take a closer look at the cc list of this email. . . Basically it ‘s the account I’ve logged into this computer before.

This is why my friends also receive extortion emails ▼

so. . . The result is also very clear – the accounts logged in Chrome on my computer have been hacked.

In addition to the account number, there is also a password.

Now that the problem is with Chrome, I’m starting to wonder about his password management strategy.

Known 1: All of our stored accounts have been compromised.

Known 2: Some of the stolen accounts are being logged in frantically, which means that the password has been leaked.

So take a look at the two, Chrome’s passwords stored locally are not safe, and intruders can steal everyone’s passwords in a very short period of time ?

After a little research, I found that this is really not as complicated as I thought. . .

Chrome’s password protection mechanism is really as simple as it gets.

Or rather, not safe at all.

You can recall how we used Chrome. Every time we auto-fill the password, is it very “insensitive” to directly fill in our account and password.

Open a login interface casually ▼

Convenience is convenience, but are you saying this is “convenience” too much?

Not only does it not require any verification to know whether we can log in to these websites, but it also fills in the password for you directly.

Moreover, it is easy to take precautions on the face, and there are not many security measures even in the library where our passwords are stored.

Anyone who knows the password to unlock your computer can easily access any password stored in your browser.

But this is obviously not what happened to me. The intruder used a more brute force method to directly obtain all my passwords.

Although on the surface, Chrome will encrypt our passwords.

But where is the encrypted file stored? . . is a fixed position.

The safe is located at:

C : \Users\<PCName>\AppData\Local\Google\Chrome\User Data\Default\Login Data .

After finding it and connecting through the SQLite3 database, you can find the correspondence between the three stored “URL” – “account” – “encrypted password”.

At least this step is still somewhat safe, because it is a safe after all, and you still need a key to open it.

But unfortunately, the place where this key is placed is also very “specific”, it is hidden in our local system:

C :\Users\<PC Name>\AppData\Local\Google\Chrome\User Data\Local State

Among them, exactly the same, without change.

Open the file with Notepad and search for “encrypt” to get the key to unlock the vault.

Isn’t it very simple.

Although the encryption algorithm used by Google is AES with relatively high security, it can’t stand it, and it puts both the ciphertext and the key in place. . .

After both are exposed, through the decryption function CryptUnprotectData ( dpapi.h ) provided by Windows itself, our password will be instantly seen by others.

Tony also asked Shichao to help find a script to experience it, and my poor password was deciphered a second time on the spot. . .

(The decryption call here is Microsoft’s own win 32 dpapi function, which needs to be deciphered on the local machine (meaning that it is useless for others to copy your two files))

That’s right, cracking Chrome passwords on Windows is so easy, you don’t even need admin rights, maybe even risk warnings.

And, Google is totally aware of this.

As early as 2013 or so, there was a response: ” If someone hacks into your system user account, no amount of security measures is useless . If a thief enters your home, then everything in your home is at risk. of.”

It makes sense at first glance. If Tony and I pay attention to safety and don’t open those software of unknown origin , wouldn’t everything be fine?

But if you think about it carefully, you will find how outrageous Google’s “inaction” remarks are here. As a user, I did accidentally put the thief in my home.

But that doesn’t mean you can leave my safe and keys at the gate.

One Piece Roger knew before his death to hide his treasure at the end of the “Great Route”

Then Google, as the world’s most used browser and the world’s top search engine developer, encounters this kind of user privacy problem. Instead of thinking about how to protect everyone, it first blames users for being careless?

It can’t be said.

Although I also know that when my home is breached, any protection method may not be able to achieve 100% security, but it is also impossible to achieve absolute security . Other manufacturers are also trying various methods to protect everyone.

MacOS opted to protect everyone’s privacy with keychains, with additional encryption to protect users’ passwords.

The dying FireFox also gives users the option to use a master password for secondary protection.

Or if you are not at ease with the services of big manufacturers, you can also choose some local third-party password software, such as paid 1Password, you can choose to save local passwords, or build your own free and open source Bitwarden service.

Everyone has their own way, but none of them choose to put passwords in the most conspicuous place like Google. . .

The text and pictures in this article are from bad reviews