
He found similar vulnerabilities in Microsoft's Edge browser and suspects it is no different for other Chromium clones. The security researcher successfully tested examples of session hijacking for Gmail, OneDrive and GitHub. This is true even if they are protected by an MFA mechanism – because then "session cookies" could be read and used.

The extracted data can be used to hijack user accounts. This information can be effectively extracted from a standard process (without elevated state) running on the local computer that has direct access to Chrome's memory (using the OpenProcess and ReadProcessMemory APIs).

To his surprise, he found that the password was stored in plain text in several different places in the memory of two of those processes. Spontaneously, he decided to check if a password he had recently entered into the browser appeared in one of these dumps.

He had created a mini-dump of all active Chrome.exe processes as part of a project. It's a discovery by chance, what Zeev Ben Porat made. I came across the following tweet on Twitter this week from CyberArk Labs security researchers, who disclose the issue and describe it in more detail in the blog post Extracting Clear-Text Credentials Directly From Chromium's Memory.
