Interesting macOS Chrome Browser Files

This blog will take a quick look at Chrome files on macOS that are not protected by TCC and do not require root access to read from. As these files are not protected by TCC, any non-sandboxed macOS payload will be able to access these files without needing TCC permissions.

Chrome Files Not Protected by TCC

Note: Some Chrome files are locked when Chrome is running. However, as these files are not protected by TCC you can simply copy the locked file to another location and read from it there.

Keychains

A lot of good research has already been done around extracting Chrome cookies. Ex:

Definitely check those blogs out for more info around Cookie extraction.

The user level keychain databases themselves (ex: ~/Library/Keychains/login.keychain-db or ~/Library/Keychains/login.keychain) are not protected by TCC. However, you do need the user’s macOS password in order to read keychain database sensitive contents (ex: usernames, passwords, etc.). This presents an interesting attack path that still works on modern versions of macOS:

Red teamer with blue team roots🤓👨🏽‍💻 Twitter: @cedowens