This is going to be a quick one because, well, its super easy. I mean, like your mother easy. If you've ever watched anything Cybersecurity related on Youtube, you've probably been told to save your passwords in a password manager program separate from your browser as opposed to the 'save in browser' option and YOU SHOULD LISTEN TO THESE PEOPLE. Personally, I'm a big fan of KeepassXC because its free and open source, and is just generally a great program but there are plenty of options out there. Now on my desktop I use Firefox with the Arkenfox user.js (https://github.com/arkenfox/user.js) added, and it does not save browser history or passwords, I definitely recommend checking it out if you're concerned about privacy and security. On my laptop I was using Librewolf for a good minute (an amazing Firefox fork), but at some point I switched back to basic Firefox and started to get a bit lazy with sites that I visit everyday to save time. I knew that it was possible to retrieve password hashes from the Firefox local folders, but I had never actually tried doing it. So I tried it out, on Linux there will be a hidden folder in your home directory called .mozilla (ls -a to see hidden folders in your directory, of course), so cd into there, then cd into the firefox folder and again into a folder that ends with .default_release (there may be more than 1 depending on your browser profile setup) then ls. Literally one of the first folders that you see is a logins.json file, you can Vim into that and you'll see a wall of sites where you've saved passwords before and hashed passwords. Obviously we can't use hashed passwords as they are so we'll just grab a tool that can. Firefox_Decrypt (https://github.com/unode/firefox_decrypt) is a Python program that does exactly this. You can run it with python3 or if you're using an Arch-based OS, its avaiable in the BlackArch repo, and the git version is in the regular AUR. I grabbed the BlackArch version, and it is literally the easiest thing to do. Type in the program, no flags, press Enter. It will bring up a list of these folders that we've been snooping through, select the one that you want. And there it is, scary right? I almost feel ridiculous writing this whole article because the whole process of learning and pulling this off took around 5 minutes. There are techniques to pull this off in any mainstream browser (which is already your biggest point of compromise) and its so mindnumbingly simple, any script kiddie that knows how to run Python programs off of Github can do it. I'm going to be taking some time today to re-evaluate my browser use on my laptop and updating and backing up my Keepass file. I'm considering switching back to Librewolf or exploring other Firefox-based options. I would say GNU IceCat, I love LibreJS as an extension and use it on my desktop, but it makes navigating the modern web a pain in the butt at times. We'll see, but this is definitely not okay from a privacy perspective and needs to be remedied ASAP because a 30 character randomly generated password isn't worth a flip if anybody with access to your filesystem can more or less faceroll the keyboard and get those passwords, copypasta them into a text file, and thats it. And of course, a ton of people do this, your parents probably do this, mine does. A lot of us feel conditioned to because of the sheer amount of accounts that we're pressured or required to have in today's society. That's a lot of passwords and if your browser says "want me to remember this for you?" Heck yeah fam, that sounds lit, convenience ftw! This makes this kind of attack particularly frightning, especially in a public or office environment where somebody could walk up to your computer while you're getting coffee and pull this off in less than 2 minutes and be walking away with all of your account info on a flash drive and literally not have to know anything besides a few basic terminal commands and how to run a Python script. Social media accounts, bank accounts, email, server logins, the list goes on. Protect yourself, use a (preferably FOSS) password manager with a secure password (it'll be the only one that you need to remember from that point) and possibly some form of 2FA, and don't save your heckin' logins in your browser! In default Firefox, its as easy as opening settings, going to Privacy & Security, then un-clicking 'Ask to save passwords' under Passwords. I'm not sure about Chromium-based browsers because the only one that I've touched with a 10ft pole in the last 5 years is Brave but it should be just as cut and paste I'd imagine. Well, that's it for today guys, have a great week and see you in the next article. Peace