RepoPilot

moonD4rk/HackBrowserData

Extract and decrypt browser data, supporting multiple data types, runnable on various operating systems (macOS, Windows, Linux).

Healthy

Healthy across all four use cases

HealthyDependency

Permissive license, no critical CVEs, actively maintained — safe to depend on.

HealthyFork & modify

Has a license, tests, and CI — clean foundation to fork and modify.

HealthyLearn from

Documented and popular — useful reference codebase to read through.

HealthyDeploy as-is

No critical CVEs, sane security posture — runnable as-is.

  • Concentrated ownership — top contributor handles 64% of recent commits
  • Scorecard: default branch unprotected (0/10)
  • Last commit 1d ago
  • 9 active contributors
  • MIT licensed
  • CI configured
  • Tests present

Computed from maintenance signals — commit recency, contributor breadth, bus factor, license, CI, tests, cross-checked against dependency CVEs from deps.dev and OpenSSF Scorecard

Informational only. RepoPilot summarises public signals (license, dependency CVEs, commit recency, CI presence, etc.) at the time of analysis. Signals can be incomplete or stale. Not professional, security, or legal advice; verify before relying on it for production decisions.

Want this for your own repo?

Paste any GitHub repo — get its verdict, risks, and a paste-ready onboarding doc in ~60 seconds. Free, no sign-up.

Embed the "Healthy" badge

Paste into your README — live-updates from the latest cached analysis.

Variant:
RepoPilot: Healthy
[![RepoPilot: Healthy](https://repopilot.app/api/badge/moond4rk/hackbrowserdata)](https://repopilot.app/r/moond4rk/hackbrowserdata)

Paste at the top of your README.md — renders inline like a shields.io badge.

Preview social card

This card auto-renders when someone shares https://repopilot.app/r/moond4rk/hackbrowserdata on X, Slack, or LinkedIn.

Ask AI about moond4rk/hackbrowserdata

Grounded in the actual source code. Pick a starter question or write your own.

Or write your own question

Onboarding doc

Onboarding: moonD4rk/HackBrowserData

Generated by RepoPilot · 2026-07-04 · Source

Verdict

Healthy — Healthy across all four use cases

  • Last commit 1d ago
  • 9 active contributors
  • MIT licensed
  • CI configured
  • Tests present
  • ⚠ Concentrated ownership — top contributor handles 64% of recent commits
  • ⚠ Scorecard: default branch unprotected (0/10)

Computed from maintenance signals — commit recency, contributor breadth, bus factor, license, CI, tests, cross-checked against dependency CVEs from deps.dev and OpenSSF Scorecard

TL;DR

HackBrowserData is a cross-platform Go CLI tool that extracts, decrypts, and exports sensitive data from Chromium-based browsers (Chrome, Edge, Brave, Opera) and Firefox on Windows, macOS, and Linux. It recovers passwords, cookies, bookmarks, history, credit cards, download records, extensions, and storage data by accessing encrypted browser databases and decrypting them using OS-level key material (Windows DPAPI, macOS Keychain, Linux Secret Service). Monolithic CLI structured as browser/chromium/ and browser/firefox/ subdirectories with parallel extraction modules (extract_password.go, extract_cookie.go, etc.) for each data type. Platform-specific code in browser_windows.go, browser_darwin.go, browser_linux.go handles OS-level key recovery. Core decryption logic in chromium/decrypt.go handles Chromium's AES-256-GCM encryption; archive.go manages output serialization.

LLM-derived; treat as a starting point, not verified fact.

Who it's for

Security researchers, penetration testers, and forensic analysts who need to audit or recover browser data from compromised systems or offline copies. It enables cross-machine decryption: export encryption keys from a target OS, then decrypt browser data offline on any other host without needing the original browser or OS.

LLM-derived; treat as a starting point, not verified fact.

Maturity & risk

Actively developed and production-ready: has comprehensive CI/CD (lint, build, release, test, codecov), extensive test coverage across 50+ test files, and supports Go 1.20+. The large Go codebase (590KB) with modular browser-specific implementations and cross-platform support signals maturity, though the single-maintainer risk and security-sensitive nature warrant careful code review.

Moderate security risk: handles decryption of sensitive user data, requiring careful validation of cryptographic operations—note platform-specific decryption logic in browser_windows.go, browser_darwin.go, and chromium/decrypt.go with version-specific handling (decrypt_v20_test.go). Dependency on system keyrings (godbus for Linux, keychainbreaker for macOS) introduces OS-level brittleness. No obvious deprecated dependencies, but monitor updates to sqlite (modernc.org/sqlite) and goleveldb for schema changes.

LLM-derived; treat as a starting point, not verified fact.

Active areas of work

No recent commit information visible in the provided data, but the Makefile and test coverage suggest ongoing maintenance. GitHub Actions workflows (lint.yml, build.yml, release.yml, test.yml) indicate automated releases and testing; codecov integration shows active quality monitoring.

LLM-derived; treat as a starting point, not verified fact.

Get running

git clone https://github.com/moonD4rk/HackBrowserData.git
cd HackBrowserData
make build
./hack-browser-data -h

Or use the Makefile directly: make builds the binary; make test runs tests; make lint runs linters.

Daily commands: Build and execute: make build produces the binary, then run ./hack-browser-data with flags like -b chrome -o ./output to extract Chrome data to ./output directory. Refer to README for CLI flags (browser selection, output format, etc.). On macOS, some browsers may prompt for the user password due to Keychain integration.

Map of the codebase

  • cmd/hack-browser-data/main.go — Application entry point; orchestrates CLI command routing for extract, dump, archive, and restore operations.
  • browser/browser.go — Core browser abstraction interface defining the contract for all browser implementations (Chromium, Firefox, Safari).
  • browser/chromium/chromium.go — Primary Chromium-family browser extractor; handles profile discovery and coordinated data extraction.
  • browser/firefox/firefox.go — Firefox data extractor; manages profile enumeration and masterkey-based decryption orchestration.
  • browser/chromium/decrypt.go — Chromium encryption/decryption engine supporting multiple versions (v19, v20+); critical for password and payment data recovery.
  • crypto/crypto.go — Platform-agnostic cryptographic interface; delegates to OS-specific implementations for secure key storage access.
  • browser/keydump.go — Master key extraction from OS keychains and credential stores; foundation for all browser data decryption.

Components & responsibilities

  • Browser Interface & Factory (browser/browser.go, browser/browser*.go)_ — Platform-aware browser discovery; instantiates Chromium, Firefox, or Safari extractor based on installed profiles.
    • Failure mode: Returns empty browser list if profiles not found in standard paths; silent graceful degradation.
  • Chromium Decryption Engine (browser/chromium/decrypt.go, crypto/crypto*.go)_ — Handles AES-GCM (v20+) and DPAPI (v19) decryption; routes encrypted blobs through appropriate cipher.
    • Failure mode: Returns encrypted data on decryption failure; logs error and continues with next item.
  • Firefox Masterkey Resolver (browser/firefox/masterkey.go, browser/firefox/extract_password.go) — Parses key3.db or key4.db; derives masterkey from password or system keyring; decrypts login entries.
    • Failure mode: Skips Firefox extraction if key files corrupted or masterkey derivation fails.
  • SQLite Profile Parser (browser/chromium/profile.go, modernc.org/sqlite) — Enumerates browser profiles; opens SQL databases (Login Data, History, Cookies); queries and extracts rows.
    • Failure mode: Blocks on locked databases (browser running); logs file lock error.
  • OS Keychain Integration (crypto/crypto*.go, golang.org/x/sys, godbus/dbus)_ — Platform-specific queries to DPAPI (Windows), Keychain (macOS), Secret Service (Linux) for encrypted master keys.
    • Failure mode: Returns nil key if keychain locked; proceeds with encrypted data fallback.
  • Archive & Export (browser/archive.go, cmd/hack-browser-data/dump.go) — Serializes extracted data to JSON, CSV, or ZIP; handles file I/O and output directory structure.
    • Failure mode: Fails fast if output directory not writable; creates directory if missing.

Data flow

  • OS Keychain/DPAPIChromium Decrypt Engine — Master key blob retrieved from OS; passed to AES-GCM/DPAPI decryption for credential recovery.
  • Firefox key file (key3.db/key4.db)Firefox Masterkey Resolver — Key file parsed; masterkey derived and cached for all credential decryption in profile.
  • SQLite Profile DatabasesData Extractors (extract_password.go, extract — undefined

How to make changes

Add extraction for a new Chromium-based browser

  1. Create new browser struct in browser/chromium/source.go extending Chromium base (browser/chromium/source.go)
  2. Implement ProfilePath() and KeyPath() methods for profile discovery (browser/chromium/chromium.go)
  3. Register in browser factory via browser/browser.go GetBrowser() (browser/browser.go)
  4. Leverage existing decrypt.go and extract_*.go functions without modification (browser/chromium/decrypt.go)

Add a new data type extraction for all browsers

  1. Define ItemType constant in browser/consts.go (browser/consts.go)
  2. Create extract_[datatype].go in each browser folder (chromium, firefox, safari) implementing Extractor interface (browser/chromium/extract_password.go)
  3. Register extractor in browser.GetAllItems() factory method (browser/browser.go)
  4. Add CLI flag in cmd/hack-browser-data/extract.go if new user-facing option needed (cmd/hack-browser-data/extract.go)

Add platform-specific cryptography support

  1. Implement GetMasterKey() and Decrypt() functions in crypto/crypto_[platform].go (crypto/crypto_windows.go)
  2. Register platform build tag in crypto/crypto.go with conditional compilation (crypto/crypto.go)
  3. Add integration tests in crypto/crypto_test.go for decryption roundtrips (crypto/crypto_test.go)

Add new CLI command

  1. Create cmd/hack-browser-data/[command].go with Cobra command struct (cmd/hack-browser-data/extract.go)
  2. Register command in main.go rootCmd.AddCommand() (cmd/hack-browser-data/main.go)
  3. Implement Run() method delegating to browser package functions (cmd/hack-browser-data/dump.go)

Why these technologies

  • Go — Cross-platform compilation; direct OS API access (DPAPI, Keychain, Secret Service); single binary distribution.
  • SQLite (via modernc.org/sqlite) — Default storage for Chromium and Firefox profile data; pure Go implementation requires no external dependencies.
  • Cobra CLI Framework — Structured subcommand routing for extract/dump/archive operations with flag parsing and help generation.
  • Platform-specific crypto (DPAPI, Keychain, Secret Service) — Only method to retrieve encrypted master keys stored in OS credential managers; ensures security compliance.
  • LevelDB (via syndtr/goleveldb) — Fallback key-value store used by some Chromium configurations for LocalStorage and encrypted state.
  • ASN.1 PBE & PBKDF2 — Firefox uses PKCS#12 masterkey encryption; custom implementations allow offline decryption without OpenSSL.

Trade-offs already made

  • Single-process extraction instead of multi-process privilege escalation

    • Why: Simpler security model; relies on user already having browser process access.
    • Consequence: Cannot extract data from running browsers on Windows without process suspension; user must close browser first.
  • Direct OS keychain queries instead of browser APIs

    • Why: Provides access to cached credentials even if browser is not running.
    • Consequence: Tight OS coupling; platform-specific code paths required; fails if OS keychain is locked or inaccessible.
  • SQLite over custom database parsing

    • Why: Reuses battle-tested library; avoids reimplementing WAL/journal logic.
    • Consequence: Requires SQLite copy operations; blocks on locked databases if browser is running.
  • Unencrypted JSON output by default

    • Why: Ease of integration and post-processing; human-readable for debugging.
    • Consequence: Extracted credentials written to disk in plaintext; user responsible for securing output files.

Non-goals (don't propose these)

  • Does not modify or delete browser data; read-only extraction only.
  • Does not run arbitrary JavaScript in browser context; no active exploitation.
  • Does not handle multi-user OS scenarios; assumes single-user extraction.
  • Does not provide real-time monitoring of browser activity; one-time snapshot only.
  • Does not include network transmission or C&C callback functionality; purely local tool.
  • Does not support encrypted browser profiles (e.g., Firefox with master password set to non-empty on Windows with locked keyring).

Traps & gotchas

On macOS, password decryption may fail on macOS 14.6+; see README disclaimer. Linux requires D-Bus and Secret Service daemon running (systemctl status secrets.service or gdbus inspect). Chromium's encryption key is stored in encrypted form in Local State (master_key field) and must be decrypted via OS APIs before use. Firefox uses SQLite with unencrypted passwords by default unless a Primary Password is set (decrypt.go does not currently handle this). Windows DPAPI requires the same user context that encrypted the data. Test files use embedded test data; modifying browser versions (e.g., new Chromium encryption format in decrypt_v20_test.go) requires updating test fixtures.

Architecture

Concepts to learn

  • DPAPI (Data Protection API) — Windows encryption mechanism used to protect Chromium's master key; understanding DPAPI user vs. machine scopes is critical for cross-user decryption scenarios
  • AES-256-GCM (Authenticated Encryption) — Chromium's encryption cipher for passwords, cookies, and credit cards since v80; implemented in chromium/decrypt.go and must handle both encryption and authentication tag validation
  • SQLite Database Access and Schema — Browser data lives in SQLite databases (Login Data, Web Data, History, etc.); understanding column names, schema versioning, and query patterns is essential for extraction modules
  • OS Keyring/Keychain Integration — Master keys stored in Windows Credential Manager, macOS Keychain, or Linux Secret Service; each platform has different APIs (DPAPI, Keychain, D-Bus Secret Service) requiring platform-specific code
  • Chromium Local State File (JSON) — Contains encrypted master_key and profile metadata; parsing this file via tidwall/gjson is the first step in Chromium decryption
  • Firefox Profile Structure and NSS (Network Security Services) — Firefox stores encrypted passwords in signons.sqlite and relies on NSS for decryption (currently not implemented for Primary Password); understanding this is needed for full Firefox support
  • Cross-Machine Decryption (Export/Import Keys) — Core feature: extract OS encryption keys on origin host, decrypt data offline on any machine; requires serializing key material and handling version compatibility across Chromium/Firefox versions
  • ropnop/kerbrute — Different domain (Kerberos) but similar security research CLI pattern for extracting and testing credentials
  • unode/firefox_decrypt — Specialized Firefox password decryption tool; reference for Firefox Primary Password handling that HackBrowserData may not yet support
  • gremlin/gremlin-go — Unrelated but shows Go CLI patterns for security tools using Cobra and cross-platform OS integration
  • moond4rk/keychainbreaker — Direct dependency; macOS Keychain decryption library that HackBrowserData uses for Safari/Chromium on macOS
  • moond4rk/plist — Direct dependency; plist parsing used for macOS browser configuration and preferences

PR ideas

Click to expand

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive integration tests for Safari browser data extraction across macOS versions

The file structure shows browser/safari/ has extract_* files but notably lacks Safari-specific test files (no extract_password_test.go, no extract_storage_test.go, no safari_test.go). Given that Safari uses Keychain for password storage and has platform-specific encryption, this is a critical gap. New contributors can add tests for decrypt flows, Keychain integration, and profile detection on macOS.

  • [ ] Create browser/safari/safari_test.go to test profile discovery and browser initialization
  • [ ] Create browser/safari/extract_password_test.go with mock Keychain tests (using keychainbreaker dependency)
  • [ ] Create browser/safari/extract_storage_test.go for LocalStorage/SessionStorage extraction from plist files
  • [ ] Add testutil_test.go for Safari-specific test fixtures and helpers (following chromium/testutil_test.go pattern)
  • [ ] Ensure tests cover both Safari stable and beta profile paths

Implement cross-browser export format standardization and add CSV/JSON export tests

The codebase extracts passwords, cookies, bookmarks, and credit cards from multiple browsers, but there's no visible standardized export layer or format tests. browser/archive.go suggests archiving, but there's no clear CSV/JSON output specification. This PR would add a standardized export interface and comprehensive tests for all data types across all browsers.

  • [ ] Create browser/export/export.go with interfaces: CSVExporter, JSONExporter, HTMLExporter
  • [ ] Create browser/export/export_test.go with tests for password/cookie/bookmark export across chromium, firefox, and safari
  • [ ] Implement browser/export/csv_formatter.go to standardize output fields (URL, username, password, etc.)
  • [ ] Add tests ensuring sensitive data (passwords, credit cards) are never accidentally written to unencrypted exports
  • [ ] Update browser/archive.go to use the new export layer for all extraction types

Add platform-specific master password/encryption key tests for Firefox across Windows/macOS/Linux

browser/firefox/masterkey.go exists but browser/firefox/masterkey_test.go is present with minimal coverage. Firefox uses NSS (Network Security Services) with platform-specific key derivation. The repo has browser_windows.go, browser_darwin.go, and browser_linux.go but Firefox key decryption likely needs OS-specific test cases (Windows DPAPI, macOS Keychain, Linux secret service via dbus).

  • [ ] Expand browser/firefox/masterkey_test.go with test cases for Windows DPAPI key decryption using golang.org/x/sys/windows
  • [ ] Add test cases for macOS Keychain-stored Firefox master password using keychainbreaker dependency
  • [ ] Add test cases for Linux SecretService/D-Bus key retrieval using godbus/dbus/v5 dependency
  • [ ] Create browser/firefox/decrypt_masterkey_test.go for NSS3 encrypted profile key decryption across platforms
  • [ ] Add integration test for logins.json decryption after master key extraction on each platform

Good first issues

  • Add test coverage for browser/firefox/ extraction modules: extract_bookmark_test.go, extract_cookie_test.go, extract_download_test.go, extract_extension_test.go, extract_history_test.go currently exist but may lack edge-case scenarios (corrupted SQLite, missing columns, encoding issues). Write parametric tests for malformed database states.
  • Implement Safari password extraction: browser/browser_darwin.go has Safari support but extract_password.go only handles Chromium. Check if Safari Keychain passwords can be extracted via keychainbreaker; add browser/safari/extract_password.go following the existing Chromium pattern.
  • Add cross-platform integration tests: create browser/browser_integration_test.go that runs extract workflows on real browser profiles (if available in CI) or realistic mock databases. Current tests are unit-level; integration tests would catch OS-specific decryption failures early.

Top contributors

Click to expand

Recent commits

Click to expand
  • 29561b2 — chore(deps): bump actions/checkout from 6 to 7 (#617) (dependabot[bot])
  • 2860bb8 — docs: cross-host decryption guide and comment cleanup (#614) (moonD4rk)
  • dc610d3 — chore(deps): bump github.com/moond4rk/binarycookies from 1.0.2 to 1.0.3 (#613) (dependabot[bot])
  • bf96ba8 — feat(restore): cross-platform restore via dump engine rebuild (#606) (#611) (moonD4rk)
  • 8d8bd81 — chore(deps): bump github.com/moond4rk/plist from 1.2.1 to 1.2.2 (#612) (dependabot[bot])
  • cd0b2da — feat(cli): add archive command for cross-host data transport (#610) (moonD4rk)
  • f1219e4 — chore: update contributors list [skip ci] (hackbrowserdata-bot[bot])
  • 8936c42 — refactor(cli): flatten keys export/import into dumpkeys/restore (#608) (moonD4rk)
  • 9fa709a — chore: update contributors list [skip ci] (hackbrowserdata-bot[bot])
  • 8bd7c4e — chore(deps): bump github.com/moond4rk/plist from 1.2.0 to 1.2.1 (#609) (dependabot[bot])

Security observations

Click to expand
  • High · Sensitive Data Extraction and Storage — browser/chromium/decrypt.go, browser/firefox/extract_password.go, browser/safari/extract_password.go, browser/chromium/extract_creditcard.go. The application is designed to extract and decrypt sensitive browser data including passwords, cookies, credit cards, and extensions. While this is the intended functionality, there is significant risk if the extracted data is not properly secured, transmitted over unencrypted channels, or stored without adequate access controls. The presence of decrypt_*.go files suggests decryption of stored credentials. Fix: Implement strict data handling practices: encrypt all extracted data at rest, use secure memory handling to prevent plaintext credentials in memory dumps, sanitize output, enforce strict file permissions (0600) on output files, and document security warnings prominently in README and CLI output.
  • High · Third-party Keyring/Credential Access Dependencies — go.mod - godbus/dbus/v5, ppacher/go-dbus-keyring, moond4rk/keychainbreaker, moond4rk/binarycookies. The project uses several external packages for accessing system keyrings and credential stores (godbus/dbus, ppacher/go-dbus-keyring, moond4rk/keychainbreaker, moond4rk/binarycookies). These dependencies may have security vulnerabilities and require elevated privileges. No evidence of version pinning or vulnerability scanning. Fix: Regularly audit and update dependencies. Implement SBOM (Software Bill of Materials) scanning. Use tools like 'go mod graph', 'nancy', or Snyk for vulnerability detection. Consider pinning to specific patch versions. Add vulnerability scanning to CI/CD pipeline.
  • Medium · Potential Privilege Escalation Risk — browser/browser_linux.go, browser/firefox/masterkey.go, browser/keydump.go. The tool requires access to browser data which often requires elevated privileges or access to user profiles. The use of D-Bus for Linux keyring access and system-level browser data access could introduce privilege escalation vectors if not properly validated. Fix: Implement principle of least privilege. Document required permissions clearly. Add privilege level validation. Consider using sandboxing mechanisms. Audit all system API calls for proper error handling and access control.
  • Medium · SQLite Database File Access Without Validation — browser/chromium/extract_*.go files using SQLite, browser/firefox/extract_*.go files. The codebase uses modernc.org/sqlite to access browser databases (cookies, history, bookmarks). There is risk of SQL injection if user input is not properly sanitized when constructing queries, though Go's sqlite driver provides some protections. Fix: Use parameterized queries exclusively. Never concatenate user input into SQL queries. Validate and sanitize all inputs. Use prepared statements with ? placeholders. Add input validation tests. Review all SQL query construction in extract_*.go files.
  • Medium · Unencrypted Output Files — browser/archive.go, browser/chromium/archive.go, cmd/hack-browser-data/archive.go. The archive.go files suggest exporting extracted data to files. If these exports are not encrypted, sensitive credentials could be written to disk in plaintext. Fix: Encrypt all exported data using AES-256-GCM or similar. Implement password-protected archive creation. Use restricted file permissions (0600) on all output files. Consider using GPG encryption as an option. Add warnings about plaintext output risks.
  • Medium · Missing Input Validation on File Paths — browser/browser_darwin.go, browser/browser_linux.go, browser/browser_windows.go, browser/chromium/profile.go, browser/firefox/profile.go. File path operations on multiple OS platforms (Darwin, Linux, Windows) with browser profile detection could be vulnerable to path traversal if profile paths are not properly validated. Fix: Implement strict path validation. Use filepath.Abs() and ensure resolved paths are within expected browser directories. Reject paths containing '..' or symbolic links that escape the intended scope. Add path normalization and validation unit tests.
  • Low · Missing Dependency Vulnerability Scanning — go.mod - all dependencies. No evidence of automated dependency scanning in the go.mod file or CI/CD configuration. Dependencies like golang.org/x/sys at v0.30.0 should be regularly audited. Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

Suggested reading order

Computed from the actual import graph (no LLM). Read in this order to learn the codebase from the foundation up — each step builds on the previous ones.

  1. types/category.go — Foundation: doesn't import anything internally and is imported by 57 other files. Read first to learn the vocabulary.
  2. log/level.go — Foundation: imported by 26, no internal dependencies of its own.
  3. masterkey/abe_windows.go — Built on the foundation; imported by 23 downstream files.
  4. browser/chromium/archive.go — Built on the foundation; imported by 3 downstream files.
  5. browser/archive.go — Layer 2 — composes lower-level code into reusable abstractions (imported 6×).
  6. cmd/hack-browser-data/extract.go — Layer 3 — application-level code that wires the lower layers together.

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.

The exported doc (Copy CLAUDE.md / Download / .cursor/rules) also includes an agent protocol and a verification script written for AI coding agents — omitted here to keep this view scannable.

Embed this chat in your README

Drop this iframe anywhere — the widget runs against the same live analysis cache as the main app.

<iframe
  src="https://repopilot.app/embed/moond4rk/hackbrowserdata"
  width="100%" height="500"
  style="border:1px solid #d0d7de; border-radius:8px;"
  allow="microphone"
  loading="lazy"
></iframe>