Stealing Passwords with Google Chrome

Here's a neat trick to steal your friends passwords using Google Chrome.

Environment

The target computer is using Google Chrome, which is currently not signed in to a Google Account. This local Chrome profile has some saved passwords.

The Attack

Using that local Chrome profile sign-in to Chrome with your profile (eg: attacker@gmail.com). Now, because you have Chrome sync enabled all the passwords from the local Chrome profile are now merged with the passwords you've saved in your roaming Chrome profile. Theft complete!

Discovery

We had a computer at the office, a test bed system. We'd have it save passwords for things during test. We never purged the profile. This is similar to what your Victims computer would have.

Then for another test we actually did sign-in to Chrome, at which point the this remote profile had 100s of new usernames & passwords which were clearly from our test environment.

I don't know if it's evil but, it's really fucked up.