All web browsers store cookies in plain text, or in databases, that can be read with the right tools. That requires local access to the system, which means that the chance of cookie data leaking is limited.
Still, malicious software could pull the information from user PCs considering that cookie storage is usually linked to a single location on the system.
While that differs from web browser to web browser, it is not difficult to check them all and grab what you can in the process.
And if a hard drive or partition is not encrypted, it may also be possible to scan the hard drive externally to dump the information.
Google Chrome saves cookies to a file in the user's data folder. It is named Cookies and is a SQLite database. You can load it into any SQLeditor, for instance Firefox's SQLite Manager extension, to read all cookies that have been saved to the local system as a result of the user's Internet activities.
A recent change to Chromium has the consequence that all desktop versions of Google Chrome will encrypt stored cookies in the near future (while Chrome OS and Android use fully encrypted profiles already).
This only affects new cookies saved to the system after Chrome is updated with the new implementation. Existing cookies remain as is, while all new cookies will be encrypted by default by the browser.
According to Google, the performance drop that goes along with encrypting cookies is insignificant. On Macs, it is 1ms while Windows users may experience slow downs up to 0.7ms.
So how well is the new protection?
It needs to be noted that this won't protect cookies of a user if that user is signed in on the system. So, if you hand over your computer to another person, they may still read the cookies.
It changes things for other users with access to the operating system, and also in regards to software on external machines that scans, analyzes and transfers data from the system in question.
Say you want to analyze the computer's hard drives for forensic evidence. Depending on the level of encryption, it may be possible to dump all cookies and other sensitive information, or not.
With encrypted cookies, only the encrypted bits of data can be dumped, but not the plain text information directly.
In other words: if you are the only user of the system and use full disk encryption, then it won't add any level of protection to it.
If there are multiple users, it may protect the cookies from being snagged by other users. This too depends on the level of protection on the system.
And if you do not use encryption, it may also protect the cookies from being read by third-parties trying to transfer information from the PC to another system.
If you share your PC, or do not use full disk encryption, then you may benefit from this new encryption of cookies. In all other scenarios, you won't.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.