New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 598698 link

Starred by 3 users
Status: Fixed
Owner:
vabr@chromium.org
hobby only
Closed: Apr 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Drop the password-manager-reauthentication flag

Reported by kchinna...@gmail.com, Mar 29 2016 
PRIVACY ISSUE
The authentication via OS to view saved passwords in chrome can be bypassed.

VERSION:
Chrome Version: 49.0.2623.87 (Official Build) m (32-bit)
Operating System: Windows 10 Home Build 10586.164

REPRODUCTION STEPS
The chrome flag chrome://flags/#password-manager-reauthentication does not require a user to authenticate themselves when disabling the flag. This leaves saved passwords vulnerable if a user leaves their computer unlocked and unattended, as an attacker with no knowledge of the user's password can simply open a browser session, disable the flag, and view all saved passwords, and re-enable the flag without leaving a trace.

Comment 1 by battre@chromium.org, Mar 29 2016

Components: UI>Browser>Passwords
Owner: vabr@chromium.org
To vabr for triaging.

Comment 2 by vabr@chromium.org, Mar 30 2016

Labels: -Pri-3 OS-Mac OS-Windows Pri-2 Type-Bug
Owner: ----
Status: Available (was: Untriaged)
Summary: Drop the password-manager-reauthentication flag (was: Saved passwords viewable without authentication)
Thanks for the report, this is indeed a mistake.

Given that the reauthentication feature launched 2 years ago (launch bug 303113), we should just drop the flag completely.

Comment 3 by vabr@chromium.org, Mar 30 2016

Owner: vabr@chromium.org
Status: Started (was: Available)

Comment 4 by vabr@chromium.org, Mar 30 2016 

CL in progress at https://codereview.chromium.org/1846623002/
Project Member

Comment 5 by bugdroid1@chromium.org, Apr 1 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f639489fe56fd214f2584a71a90d36b30bdfb33c

commit f639489fe56fd214f2584a71a90d36b30bdfb33c
Author: vabr <vabr@chromium.org>
Date: Fri Apr 01 16:21:36 2016

Remove password-manager-reauthentication flag

The flag allowed to switch off reauthentication before viewing passwords on
Mac and Win, a feature which has been launched two years ago.

Together with removing the flag, also the preference
password_manager_allow_show_passwords is removed -- it had no effect unless
the password-manager-reauthentication flag was set.

After this CL, Chrome on Mac or Win will not put passwords inside
about:settings/passwords unless the user reauthenticated.

BUG= 598698 

Review URL: https://codereview.chromium.org/1846623002

Cr-Commit-Position: refs/heads/master@{#384601}

[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/app/generated_resources.grd
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/about_flags.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/android/password_ui_view_android.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/android/password_ui_view_android.h
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/extensions/api/passwords_private/passwords_private_delegate_impl.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/extensions/api/passwords_private/passwords_private_delegate_impl.h
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/extensions/api/settings_private/prefs_util.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/resources/options/password_manager_list.js
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/resources/settings/passwords_and_forms_page/passwords_and_forms_page.html
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/ui/passwords/password_manager_presenter.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/ui/passwords/password_manager_presenter.h
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/ui/passwords/password_manager_presenter_unittest.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/ui/passwords/password_ui_view.h
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/ui/webui/options/password_manager_handler.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/browser/ui/webui/options/password_manager_handler.h
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/common/chrome_switches.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/components/password_manager/core/browser/password_manager.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/components/password_manager/core/common/password_manager_pref_names.cc
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/components/password_manager/core/common/password_manager_pref_names.h
[modify] https://crrev.com/f639489fe56fd214f2584a71a90d36b30bdfb33c/components/policy/resources/policy_templates.json

Comment 6 by vabr@chromium.org, Apr 1 2016

Status: Fixed (was: Started)
The flag should be no more in Chrome 51 (give it 2 days until it reaches Canary).

I propose not merging this to earlier versions, because this is not a recent regression, and 51 will soon become beta.

Sign in to add a comment