New issue
Advanced search Search tips

Issue 604976 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Apr 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Password Vulnerability

Reported by leshawnr...@gmail.com, Apr 20 2016

Issue description

VULNERABILITY DETAILS
In Google Chrome, the option to save passwords comes up when you enter login information into a website. To access this information in the passwords page on Google Chrome, on windows 10, one must enter their Windows password, and be logged into the Google Chrome account.

When, on a different computer, one logs into the Google Account, and attempts to look at the passwords, they are prompted with the same Password Enter box. However, they can enter their windows password and still gain access to any passwords stored on that account. I recently got a new computer, and tested this myself and it worked. If one were to gain google chrome accounts through phishing or other means, they would in-turn have access to all passwords stored on that account.

VERSION
Chrome Version: [49.0.2623.112] + [stable]
Operating System: [Windows 10, Home, Version 1511 (OS Build 10586.218)]

 

Comment 1 by wfh@chromium.org, Apr 20 2016

 Issue 604974  has been merged into this issue.

Comment 2 by wfh@chromium.org, Apr 20 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
By logging into Chrome on another computer you are syncing all your data and anyone with physical access to that computer can read or modify your data.

You should only sign into computers that you trust, use a secure OS password, and lock your screen when not in use.

This type of attack is outside Chrome's threat model. Please see the security FAQ for more details.

https://www.chromium.org/Home/chromium-security/security-faq
So if someone manages to get your google chrome info there's nothing you can do if you don't catch the breach in time? 
Consider protecting your Google account using 2 factor authentication? You can also choose not to sync passwords at all.
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment