May 11, 2021

Malware that clones chrome session id?

Home Forums Malware that clones chrome session id?

This topic contains 1 reply, has 2 voices, and was last updated by  ferrybig 1 month ago.

  • Author
    Posts
  • #382082

    anonymous
    Participant

    Hi, I recently knew that lot of youtubers got (and are getting) hacked by a malware in a .scr format that clones your chrome session id, then the hacker replace his chrome session id with the id he took and he can access the entire chrome session and google account of the victim without typing any password.

    How is that possible? How can i get the chrome id session from a Java code?

  • #382083

    ferrybig

    An `.scr` file is a screensaver executable for the Windows operation system. This is just like any other ordinary executable, it only has a different extension so Windows knows it should show some extra options in the right click menu.

    What can an executable do? An executable file can do many harmful things, it can basically do the same things as other applications do.

    This harmful executable copies probably copies the file `C:UsersYour User NameAppDataLocalGoogleChromeUser DataDefaultCookies` This file contains all the cookies chrome has in a common .sqlite format, and can be read with any common sqlite library.

    Just reading the cookie file isn’t enough on Windows, you get an encrypted value back. You need to call methods of the [Windows Data Protection API (DPAPI)](https://stackoverflow.com/q/22532870/1542723) in order to get the values. The malware does this to get the session id of Youtube

  • #382084

    yayaoa

    document.cookie

    There you go

You must be logged in to reply to this topic.