Browser Secrets: How Hackers Steal Your Session Cookies #shorts

When it comes to browser secrets, it's interesting because if you have the cookie, you're inside the session, right? Um One way we see that MFA is being bypassed, which is very common, is infostealers. And there there are a few of them that are quite big, and um they have this like advertisements and so on. They're basically they operate as malware as a service is a common term, which is basically that they run this thing and you kind of subscribe on credentials. So, they have like a Russian market is a good example of that. Um so, what they do is that they infect machines at scale, and they steal cookies, they steal saved passwords, they steal like autofill

data, which would usually contain, you know, credit cards and that kind of information. Um a lot of them are also targeting like Bitcoin wallets and that kind of thing as well. Um and then they have this website, which is just updated all the time, where threat actors that do ransomware or something else can just go to and get credentials. So, when it comes to browser secrets, it's interesting because if you have the cookie, you're inside the session, right? So, you don't have to authenticate, you don't have to you don't it doesn't matter if they have MFA or whatever they have, right? Because you're already inside an authenticated session. And you know, stealing secrets from browsers is fairly easy

because either we talked about it before, actually, DPAPI is what protects on a Windows system in, for example, Chrome. Um so, either you can do some cool stuff and try to unprotect and like even you can dump LSASS and get the secrets needed to do it offline. Or like if you're the main admin, you can have a backup secret, but if you're domain admin, you probably don't do this, so yeah, who cares. Um uh but the easiest way is that Chrome needs those cookies, right? So, Chrome must have the cookies cuz otherwise you sort of lose the entire point of cookies. Right? So, what you can do is that you can start Chrome in the bug mode, then

you just send a command, which is like give me all cookies. And then it's going to give you all the cookies. So, it's pretty much a one-liner to just dump all those secrets. And in a sense, it doesn't really matter how you protect these secrets because Chrome need to be able to decrypt decrypt them, right? So, if you're if you're local admin and you have control over the system, you're going to be able to get this.