HackBrowserData is a command-line tool for decrypting and exporting browser data (passwords, history, cookies, bookmarks, credit cards, download history, localStorage, sessionStorage and extensions) from the browser. It supports the most popular Chromium-based browsers and Firefox on Windows, macOS and Linux, plus Safari on macOS.
It can also decrypt data across machines and operating systems: export the master keys on the origin host, then decrypt a copy of the data offline on any other host — even for a browser that the analyst host's OS cannot run (see Cross-host decryption).
Disclaimer: This tool is only intended for security research. Users are responsible for all legal and related liabilities resulting from the use of this tool. The original author does not assume any legal responsibility.
| Category | Chromium-based | Firefox | Safari |
|---|---|---|---|
| Password | ✅ | ✅ | ✅ |
| Cookie | ✅ | ✅ | ✅ |
| Bookmark | ✅ | ✅ | ✅ |
| History | ✅ | ✅ | ✅ |
| Download | ✅ | ✅ | ✅ |
| Credit Card | ✅ | - | - |
| Extension | ✅ | ✅ | ✅ |
| LocalStorage | ✅ | ✅ | ✅ |
| SessionStorage | ✅ | - | - |
On macOS, some Chromium-based browsers require a current user password to decrypt.
Password decryption may fail on macOS 26.4 or later.
| Browser | Windows | macOS | Linux |
|---|---|---|---|
| Chrome | ✅² | ✅ | ✅ |
| Chrome Beta | ✅² | ✅ | ✅ |
| Chromium | ✅ | ✅ | ✅ |
| Edge | ✅² | ✅ | ✅ |
| Brave | ✅² | ✅ | ✅ |
| Opera | ✅ | ✅ | ✅ |
| OperaGX | ✅ | ✅ | - |
| Vivaldi | ✅ | ✅ | ✅ |
| Yandex | ✅ | ✅ | - |
| CocCoc | ✅² | ✅ | - |
| Arc | ✅ | ✅ | - |
| DuckDuckGo³ | ✅ | - | - |
| QQ³ | ✅ | - | - |
| 360 ChromeX³ | ✅ | - | - |
| 360 Chrome³ | ✅ | - | - |
| DC Browser³ | ✅ | - | - |
| Sogou Explorer³ | ✅ | - | - |
| Firefox | ✅ | ✅ | ✅ |
| Safari¹ | - | ✅ | - |
¹ Safari requires Full Disk Access; enable it in System Settings → Privacy & Security → Full Disk Access if extraction returns empty results.
² On Windows, decrypting Chromium 127+ cookies (Chrome / Chrome Beta / Edge / Brave / CocCoc) requires the App-Bound Encryption payload built via
make build-windows— see Building from source below.³ These browsers ship only on Windows, but their data is decryptable on any OS: pull the files with
archive, export the keys withdumpkeys, then decrypt on macOS or Linux withrestore— see Cross-host decryption.
Installation of HackBrowserData is dead-simple, just download the release for your system and run the binary.
In some situations, this security tool will be treated as a virus by Windows Defender or other antivirus software and can not be executed. The code is all open source, you can modify and compile by yourself.
Requires Go 1.20+.
git clone https://github.com/moonD4rk/HackBrowserData
cd HackBrowserData
go build ./cmd/hack-browser-data/# For Windows (standard build, no Chromium 127+ ABE cookie support)
GOOS=windows GOARCH=amd64 go build ./cmd/hack-browser-data/
# For Linux
GOOS=linux GOARCH=amd64 go build ./cmd/hack-browser-data/Chrome / Chrome Beta / Edge / Brave / CocCoc 127+ protect cookies with App-Bound Encryption. Decrypting those cookies requires a small C payload — Zig (0.13+) is the recommended C toolchain (the Makefile calls zig cc). MinGW-w64 gcc can also build the sources manually if you bypass make payload.
# 1. Install Zig
brew install zig # macOS
scoop install zig # Windows (scoop)
# or download from https://ziglang.org/download/
# 2. Build the payload (outputs crypto/windows/payload/abe_extractor_amd64.bin)
make payload
# 3. Build hack-browser-data.exe with the ABE payload embedded
make build-windowsThe resulting hack-browser-data.exe includes full ABE cookie decryption on Chromium 127+.
$ hack-browser-data -h
hack-browser-data decrypts and exports browser data from Chromium-based
browsers and Firefox on Windows, macOS, and Linux.
GitHub: https://github.com/moonD4rk/HackBrowserData
Usage:
hack-browser-data [flags]
hack-browser-data [command]
Available Commands:
archive Pack decryption-relevant profile files into a zip for cross-host restore
dump Extract and decrypt browser data (default command)
dumpkeys Export Chromium master keys as JSON for cross-host decryption
help Help about any command
list List detected browsers and profiles
restore Decrypt copied profile data using exported master keys
version Print version information
Flags:
-b, --browser string target browser: all|chrome|firefox|edge|... (default "all")
-c, --category string data categories (comma-separated): all|password,cookie,... (default "all")
-d, --dir string output directory (default "results")
-f, --format string output format: csv|json|cookie-editor (default "json")
-h, --help help for hack-browser-data
--keychain-pw string macOS keychain password
-p, --profile-path string custom profile dir path, get with chrome://version
-v, --verbose enable debug logging
--zip compress output to zip
Use "hack-browser-data [command] --help" for more information about a command.
Running hack-browser-data without a subcommand defaults to dump.
| Flag | Short | Default | Description |
|---|---|---|---|
--browser |
-b |
all |
Target browser (all|chrome|firefox|edge|...) |
--category |
-c |
all |
Data categories, comma-separated (all|password|cookie|bookmark|history|download|creditcard|extension|localstorage|sessionstorage) |
--format |
-f |
json |
Output format (csv|json|cookie-editor) |
--dir |
-d |
results |
Output directory |
--profile-path |
-p |
Custom profile dir path, get with chrome://version | |
--keychain-pw |
macOS keychain password | ||
--zip |
false |
Compress output to zip |
--format cookie-editorwrites only cookies, as a JSON array matching the Cookie-Editor browser extension's import format; non-cookie categories are skipped.
Decrypt browser data on an analyst host that was collected on a different origin host — including a browser whose engine the analyst's OS cannot even install (e.g. decrypt Sogou or QQ Browser data on macOS). Nothing platform-bound (DPAPI, macOS Keychain, Chrome App-Bound Encryption) has to leave the origin: the master keys are exported once, and decryption then runs entirely offline from a copy of the data.
The workflow uses three commands and two transportable artifacts:
| Step | Host | Command | Produces |
|---|---|---|---|
| 1 | origin | dumpkeys |
keys.json — portable master keys |
| 2 | origin | archive |
browser-data.zip — only the files needed to decrypt |
| 3 | analyst | restore |
decrypted output (csv / json / cookie-editor) |
# On the origin host (any OS) — export the keys and pack the data
hack-browser-data dumpkeys -o keys.json
hack-browser-data archive -o browser-data.zip
# Copy keys.json + browser-data.zip to the analyst host, then decrypt offline
hack-browser-data restore --keys keys.json --data-zip browser-data.zip
keys.jsoncontains plaintext master keys — treat it as a secret.dumpkeys -owrites it with0600permissions; prefer streaming it over a secure channel instead of leaving it on disk.
Derives each Chromium installation's master keys on the origin host and writes them as JSON (Firefox / Safari have no portable key and are skipped). Defaults to stdout so it can be piped over SSH.
| Flag | Short | Default | Description |
|---|---|---|---|
--browser |
-b |
all |
Target browser (all|chrome|edge|...) |
--output |
-o |
stdout | Output file (written 0600); stdout if omitted |
--keychain-pw |
macOS keychain password |
Collects only the files a restore actually needs (cookies, login data, history, …) through the same locked-file bypass used for extraction, so live SQLite files are read safely on Windows. The zip is laid out as <browser-key>/<User Data layout>, so one archive can carry several browsers and restore stays unambiguous. Entry names are always forward-slash, so a Windows-produced archive restores on macOS / Linux.
| Flag | Short | Default | Description |
|---|---|---|---|
--browser |
-b |
all |
Target browser (all|chrome|edge|...) |
--category |
-c |
all |
Data categories, comma-separated |
--output |
-o |
browser-data.zip |
Output archive path |
Rebuilds each Chromium engine straight from keys.json and decrypts the supplied data — it never consults the analyst's local browser table, so the browsers you can restore are exactly the vaults in your keys.json. Supply the data one of two ways (exactly one is required):
--data-zip— a zip produced byarchive; extracted to a temp dir and removed afterward.--data-dir— a directory. Either thearchivelayout (<browser-key>/..., several browsers at once), or one browser's hand-copiedUser Dataroot, which is unambiguous only for a single browser — so pair it with-b.
-b is an optional filter over the dump's vaults, not a required selector.
| Flag | Short | Default | Description |
|---|---|---|---|
--keys |
required | Keys file from dumpkeys (use - for stdin) |
|
--data-zip |
Zip from archive (mutually exclusive with --data-dir) |
||
--data-dir |
Copied data dir (mutually exclusive with --data-zip) |
||
--browser |
-b |
Restore only this browser; must match a vault in --keys |
|
--category |
-c |
all |
Data categories, comma-separated |
--format |
-f |
json |
Output format (csv|json|cookie-editor) |
--dir |
-d |
results |
Output directory |
--zip |
false |
Compress output to zip |
# Stream keys over SSH (no keys.json on disk), data copied separately
ssh origin "hack-browser-data dumpkeys" | \
hack-browser-data restore --keys - --data-zip browser-data.zip
# Restore one browser from a hand-copied User Data folder (no archive)
hack-browser-data restore --keys keys.json --data-dir ./chrome-userdata -b chrome| Flag | Default | Description |
|---|---|---|
--detail |
false |
Show per-category entry counts |
hack-browser-data version| Flag | Short | Description |
|---|---|---|
--verbose |
-v |
Enable debug logging |
# Extract all data from all browsers (default)
hack-browser-data
# Extract specific browser and categories
hack-browser-data dump -b chrome -c password,cookie
# Export in CSV format to a custom directory (JSON is the default)
hack-browser-data dump -b chrome -f csv -d output
# Export cookies in CookieEditor format
hack-browser-data dump -f cookie-editor
# Compress output to zip
hack-browser-data dump --zip
# List detected browsers and profiles
hack-browser-data list
# List with per-category entry counts
hack-browser-data list --detail
# Use custom profile path
hack-browser-data dump -b chrome -p "/path/to/User Data/Default"We welcome and appreciate any contributions made by the community (GitHub issues/pull requests, email feedback, etc.).
Please see the Contribution Guide before contributing.
Roger |
Aquilao Official |
uinfziuna8n |
Cyrus |
stevenlele |
Carlo Mandelli |
slimwang |
zznQ |
YuXJ |
mirefly |
LC |
zhe6652 |
guoguangwu |
beichen |
Santiago Ramirez |
Ciprian Conache |
a-urth |
Amir. |
HackBrowserData is a part of 404Team StarLink-Galaxy, if you have any questions about HackBrowserData or want to find a partner to communicate with, please refer to the Starlink group.
HackBrowserData had been being developed with GoLand IDE under the free JetBrains Open Source license(s) granted by JetBrains s.r.o., hence I would like to express my thanks here.
