Rubin Shrestha
Rubin Shrestha
Blog

Decrypting Google Chrome Passwords – Version 141.0.7390.55

by |Published

I have found the following code snippet for decrypting passwords from chromium-based browsers

def _decrypt_v80(buff, master_key):
        iv = buff[3:15]
        payload = buff[15:] 
        cipher = AES.new(master_key, AES.MODE_GCM, iv)  
        decrypted_pass = cipher.decrypt(payload)
        decrypted_pass = decrypted_pass[:-16].decode()
        return decrypted_pass

buff is the encrypted password blob storaged in the “Login Data” database.
master_key is the unprotected Master Key from the “Local State” json file

when I run this function with a masterkey and password obtained from edge it works find and it returns the decrypted password.
however google chrome (version 141.0.7390.55) is different. when I get the masterkey and password from google chrome and try to decrypt it with the above function I get an

‘utf-8’ codec can’t decode byte 0x82 in position 1: invalid start byte

error, which indicates there was some mistake in the decryption of the password, since it cannot encode as utf-8.
I have also implemented a similar function in c# and here I get an error that the AES-GCM tag failed to check, which indicates the cipher might be broken

Org.BouncyCastle.Crypto.InvalidCipherTextException: ‘mac check in GCM failed’

(again the edge passwords decrypts just fine)

Is there some additional protection on google chrome browser passwords as opposed to edge passwords or am I missing something here?
Any help will be greatly appreciated

PS: I have checked other posts and came across this: https://superuser.com/a/1849488/1907385, but it just seems to do what I am doing right now

The origin_url and the username_value are not encrypted but the password_value is encrypted. enter image description here You do AES GCM 256 decryption on the password_value and now it is decrypted, plaintext password.

EDIT 1:
the first 3 bytes of the encrypted edge passwords encode to v10 and the first 3 bytes of the encrypted chrome password to v20, which means the encryption algo should be ChaCha20_Poly1305) Script
Can’t figure out why that script hardcodes the keys though. They should probably be in “Local State”…

EDIT 2:
possible solution found: https://stackoverflow.com/a/79216440/22357203

You may also like