New issue
Advanced search Search tips

Issue 606347 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome Password Store

Reported by dtswilli...@hotmail.com, Apr 25 2016 
VULNERABILITY DETAILS
its possible to retrieve saved passwords from the password store without having to enter the password for the windows account.

VERSION
Chrome Version: 50.0.2661.75, stable
Operating System: Windows 7 Ultimate, 64 bit, SP 1]

REPRODUCTION CASE
Its possible to retrieve passwords from the store without having to enter the password for the windows account. 

Where user has left PC open or untended its possible to check the list of passwords for saved sites, these can then be opened in the browser, pressing F12 opens the developer tools, if J Query is already available then you can run the command below or install plug in to inject it on to the page. 

$("input[type=password]").each( function(){ $(this).attr("type","text") } )

this will result in the password being shown in plain text without having to enter the windows account password. 

chrome should prevent the changing of attribute types for passwords, or the user should be informed that the password store inst a 100% secure store.
pwexample.htm
147 bytes View Download

Comment 1 by vakh@chromium.org, Apr 25 2016

Status: WontFix (was: Unconfirmed)
Thanks for reporting this issue.

The password is masked as part of the normal flow only to prevent disclosure via "shoulder-surfing" (i.e. the passive viewing of your screen by nearby persons).

An attack that involves physical access to the computer is outside Chrome's threat model because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your computer as you, or who can run software with the privileges of your operating system user account.

Such an attacker can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your computer, and nothing Chrome can do would provide a serious guarantee of defense.

This problem is not special to Chrome ­— all applications must trust the physically-local user.

Comment 2 by wfh@chromium.org, Apr 25 2016

Labels: -Restrict-View-SecurityTeam
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment