[WIP] Add method to load login credentials as well as cookies #164
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dlenski
force-pushed
the
login_credentials
branch
from
8d4b778
to
e8673f5
Compare
This takes up time and disk space unnecessarily. SQLite3 is able to open databases in a read-only, lock-free mode (see "nolock" in https://www.sqlite.org/c3ref/open.html). Tested on Linux with Chrome, Chromium, and Firefox; loading cookies from databases opened in these modes appear to work fine as long as we attempt to fallback from read-only, lock-free to simply read-only. Somewhat frustratingly and confusingly, these option seems only to be accessible by using 'file:' URIs, and not via any other API (see https://www.codejam.info/2021/10/bypass-sqlite-exclusive-lock.html). Fortunately, the standard library module pathlib (Python 3.4+) makes it easy to convert paths to 'file:' URIs in a cross-platform way.
The replacement of sqlite3 with pysqlite2 on Windows dates back to the initial 2015 commit to the parent repository (richardpenman/browsercookie@7828992). pysqlite2 is no longer maintained, and there no longer appears to be any bug or limitation preventing sqlite3 from opening Chrome/Firefox databases on Windows.
This same idiosyncratic timestamp format ("microseconds since Windows NT
epoch") is apparently used by Chromium-based browsers for both cookies’
expiration timestamps, as well as timestamps associated with saved login
credentials.
dlenski
force-pushed
the
login_credentials
branch
2 times, most recently
from
8ef18de
to
217d331
Compare
The machinery for decrypting login credentials on Chromium-based browsers is essentially identical to what's used to decrypt cookies. For a fairly hacky standalone implementation of login credential decryption, see https://github.com/priyankchheda/chrome_password_grabber. Done: - Add ChromiumBased.load_logins() method. - Autodetect paths for login credentials on Chrome and Chromium browsers on Linux. (Tested both) TODO: - Determine correct paths for login credentials on Windows, macOS, and other Chromium-based browsers. For now, you should be able to test whether the same decryption process works by finding the login credentials database path, and passing passing `login_file='THAT_PATH'` to the constructor for any `ChromiumBased` browser. - Add loading and decryption of login credentials from Firefox as well. Perhaps based on https://github.com/unode/firefox_decrypt?
dlenski
force-pushed
the
login_credentials
branch
from
217d331
to
4e33bdd
Compare
You should probably merge that one first, since it just makes small cleanup-y changes…
You could, but I've only tested in on recent Chrome/Chromium on Linux, and not even sure if it'll work with other versions of Chrom*-based browsers or on other OSes. And additional work for Firefox is certainly needed. I mostly wanted to post it at this point in order to get feedback on the interface/API for loading the logins. |
|
Your approach looks good to me. I can test them on different browsers and OSes. |
No file copying, and no Windows import override needed
The machinery for decrypting login credentials on Chromium-based browsers is essentially identical to what's used to decrypt cookies. For a fairly hacky standalone implementation of login credential decryption, see https://github.com/priyankchheda/chrome_password_grabber. Done: - Add ChromiumBased.load_logins() method. - Autodetect paths for login credentials on Chrome and Chromium browsers on Linux. (Tested both) TODO: - Determine correct paths for login credentials on Windows, macOS, and other Chromium-based browsers. For now, you should be able to test whether the same decryption process works by finding the login credentials database path, and passing passing `login_file='THAT_PATH'` to the constructor for any `ChromiumBased` browser. - Add loading and decryption of login credentials from Firefox as well. Perhaps based on https://github.com/unode/firefox_decrypt?
Also: - Put source package in a directory called browser_cookie3, so that __main__.py can 'from . import *' even while testing - Clean up/clarify BrowserCookieError() messages a bit - Make Firefox class and firefox() function take a key_file parameter, but ignore it, for a consistent interface with Chromium-based browsers - Cleanup all trailing whitespace (with https://github.com/dlenski/wtf)
This pure-Python decryption looks like the best approach: https://github.com/lclevy/firepwd/blob/master/firepwd.py
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The machinery for decrypting login credentials on Chromium-based browsers is
essentially identical to what's used to decrypt cookies. For a fairly hacky
standalone implementation of login credential decryption, see
https://github.com/priyankchheda/chrome_password_grabber.
Done:
Linux. (Tested both)
TODO:
Determine correct paths for login credentials on Windows, macOS, and other
Chromium-based browsers.
For now, you should be able to test whether the same decryption process
works by finding the login credentials database path, and passing passing
login_file='THAT_PATH'to the constructor for anyChromiumBasedbrowser.
Add loading and decryption of login credentials from Firefox as well.
Perhaps based on https://github.com/unode/firefox_decrypt?