Where Does Google Chrome Store User History, Profile & Bookmarks?

I have been using and enjoying Google Chrome for the past couple of days. So as I am setting up my new computer, I am installing Chrome there as well. While doing this, I would like to bring over my saved browsing history and bookmarks so that I don’t have to build it from scratch on the new machine. The only problem is that while Chrome makes it very easy to import existing settings from Firefox, it does not display any visible option to export current settings.

After a bit of digging, I found the location where Chrome stored user data:

  • On XP – C:\Documents and Settings\<User Name>\Local Settings\Application Data\Google\Chrome\User Data
  • On Vista - C:\Users\<User Name>\AppData\Local\Google\Chrome\User Data

The User Data folder contains three files: Local State, Safe Browsing and Safe Browsing Filter, along with a folder called Default. Default in turn contains your browser cache, plugin data, and all of your cookies and history data. To move my profile over to my new computer, I copied all of the files and folders under User Data on my XP machine, and moved them into the User Data on my new Vista machine (all of the files were nearly 100mb after only four days of use, which will give you some kind of idea about the amount of indexing going on in the background). When I next started Chrome on my Vista machine, it was identical to the app on my XP machine, down to most popular sites, history and cookies. I even started writing this post on my XP machine, and then continued it on my Vista machine without having to log in again into my WordPress admin.

In the end this was pretty easy to do. Though the ease of profile transfer could in turn make it easy for someone to steal someone else’s identity – after all, the cookies file (presumably a sqllite db or something similar) was only 256KB, and merely dropping it in the new User Data allowed a complete transfer of identity (perhaps a good security feature would be to allow the \User Data\Default\Cookies file to work only on the originally installed instance).

Forget the Password for IUSR?

I was changing around the Directory Security for an ASP.net page. In the process of doing this, the IUSR account was removed. After fixing the problem, I wanted to set the Anonymous Access for the website back to IUSR. Unfortunately, I needed the password for the IUSR account in order to do this.

WindowsITPro has a great solution posted for retrieving the username and password information for IUSR.

Just in case that link ever goes down, here is the solution: Take the following code, save it in NotePad as a .vbs file and run it.

Worked like a charm

Don’t Trust ViewState

In this blog post by Scott Mitchell, Scott gives a review of the issues brought up by this article, discussing ways in which a page’s ViewState in ASP.net could be used to compromise a site. ViewState is encrypted by default (unless you set EnableViewStateMac to false, which you shouldn’t need to do). If a ViewState is posted to a page that did not encrypt it, the server will throw an error. However, if a ViewState is posted to the same page (perhaps with different querystring parameter settings), the page may accept the posted VIewState and use its data:

The point is, don’t trust view state (or the data that is put there by Web controls, such as the DataGrid). That is, if you have important information, such as pricing data, it’s OK if it is placed in view state (such as in a row in a DataGrid), but don’t grab the pricing data to charge by just poking around the view state (as in programmatically accessing the contents of a DataGrid). Instead, if you need to get pricing information (or any other important bit of information) for the final order processing, it is imperative that you requery the database.

You have been warned.