New Password Stealer Bypasses 2FA--Chrome, Edge And Firefox Targeted

https://www.forbes.com/sites/daveywinder/2026/04/06/new-password-stealer-bypasses-2fa-chrome-edge-and-firefox-targeted/

A new security threat for users of the world’s most popular web browsers, Google Chrome, Microsoft Edge and Mozilla Firefox, has been confirmed by Varonis Threat Labs researchers. And this one’s a doozy: a password stealer, a session cookie compromiser to enable two-factor authentication bypass, and a payment card data grabber all rolled into one. Here’s what you need to know about Storm, the latest infostealer platform now available for cybercriminals to rent.

If you clicked on that last link, you will already know that infostealer attack platforms for hire to cybercriminal operators are not new, but Storm is a particularly concerning example of the genre. “Beyond credentials,” the Varonis Threat Labs analysis confirmed, “Storm grabs documents from user directories, pulls session data from Telegram, Signal, and Discord, and targets crypto wallets through both browser extensions and desktop apps,” and that’s not all. “System information and screenshots are captured across multiple monitors,” the report continued. Here’s everything that we know abiout Storm so far.

No sooner have more than three billion Chrome users been given a security wake-up call, as Google confirmed a new zero-day exploit out in the wild, another billion web browser users have been put on alert. A new report from the Varonis Threat Labs has warned users of Google Chrome, Microsoft Edge and Mozilla Firefox of a new infostealer service, already being rented out to cybercriminals, that can remotely decrypt credentials in a way that allows the attackers to stealthily evade security measures, according to senior Varonis security researcher, and author of the report, Daniel Kelley.

This low-cost cybercrime toolkit can be rented for as little as $1000 a month, and, yes, that isn’t a lot of money for an attacker who is looking at something that can harvest browser credentials, session cookies and crypto wallets, and then proceed to very quietly send the whole lot back to their server to be decrypted. This, Kelley warned, represents a shift in the evolution of credential theft. And that matters because, whereas the attacker used to decrypt credentials on the victim device using SQLite libraries that accessed the credential store directly, for those of a technical bent, that got difficult to pull off as security tools learned to recognize such local browser database access as a huge red flag. The difficulty knob was turned to 11 when Google introduced App-Bound Encryption in 2024, with the launch of Chrome 127, which binds encryption keys to Chrome itself. Even when attackers started abusing the Chrome debugging protocol or injecting directly into Chrome, security tools were still able to detect traces and act.