Issue metadata
Sign in to add a comment
|
Security: In Chrome Auto Save Password
Reported by
binufrom...@gmail.com,
Apr 21 2016
|
||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Dear Chrome Developers, this Security issues is look like simple but a serious issues that can compromise the user Passwords entered through the Chrome
browser. The issue is Chrome provides "Auto Save Password" facilities. When user
click "Auto Save Passwords", then from next login the Password will fill automatically password fields will fill in the Password Textbox or when ever you enter the user name, at that time the password TextBox will fill. Here the security is compromising, because any stranger or another user or Co-worker or a hacker access your computer, he can see user password which the user select "Auto Save Password" option.
VERSION
Chrome Version: [50.0.2661.75 m]
Operating System: [Windows 7 Ultimate SP1, 64bit]
REPRODUCTION CASE
Step-1:
Write the User Name or Email Address and Password in respective Text Box.
Step-2:
Try to Login the website(it may be Users Bank Account website, Facebook, Gmail, Hotmail..etc), then Chrome Browser will ask the "Auto Save Password" option, Click "Yes" and proceed.
Step-3:
Close the website or Logout from respective site.
Step-4:
Open the browser, open any websites which user select "Auto Save Password" facility(it may be another user or Co-worker or stranger or a Hacker).
Step-5:
Select Password text in "Password Text Box", then right click, then click "Inspect Element", it will focus "Password Textbox" attributes.
Step-6:
Select element <input type="password"> and right click, then click "Edit Attributes" and replace as <input type="Text">, then click browser area, then user can see the Password.
Security Compromise:
Any Strangers or Co-workers or other Users or a Hacker can simply can reveal users Passwords of Email Accounts, Bank Accounts, Social Media Accounts.
My Opinion:
1- This is one of the Big Security Bugs where Security Compromise is happened.
2- Should be disable or encrypt the "Password Textbox"
I have attached the Screenshots of the Security Bugs
Regard's
BINU NARAYANAN
Sr. Software Engineer
6th Floor, Gulf Comm.Centre, P.O Box 58290, 80th Street, Olaya,
Riyadh-11594, Kingdom of Saudi Arabia.
Tel: +966 1 4650165
Fax: +9661 4651643, 4627901
Mob: +966 504186542
Email: Support@saudigroup.net, Website: saudigroup.net
binu@saudigroup.net, binufromriyad@gmail.com
,
Apr 21 2016
Ok Mr.Thestig
Issue 605437
I got a comment from you, that ..
"This sounds a lot like https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools-"
you mean that Locally can compromise the security issue..? and you mean that no problem if somebody accessing my computer and they can reveal my password which I use Auto Save Option.
,
Apr 21 2016
Dear Lei Zhang, I read the FAQ carefully, but the matter is why google cant disable the password text field. May be there will be options in settings. But there is no scope for go to setting for enable or disable. Check the screenshot of Internet Explorer Browser, you cant direct edit the HTML codes and Check the Screenshot of some banking sites....., I think Google Team is escaping from the issues...?
,
Apr 21 2016
binufromriyad@gmail.com: Thanks for reporting the issue. As has been pointed out already, and is described in detail on the FAQ page[1], if an attacker has physical access to your computer logged in as you, they: <quote> can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your computer, and nothing Chrome can do would provide a serious guarantee of defense. This problem is not special to Chrome — all applications must trust the physically-local user. </quote> I am not sure what you meant to convey through the Internet Explorer screenshot, but I tried to open the same site in Chrome and got similar results. Please see the image attached. [1] http://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- Marking as WontFix.
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by thestig@chromium.org
, Apr 21 2016