New issue
Advanced search Search tips

Issue 607424 link

Starred by 2 users
Status: Assigned
Owner:
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug

Blocking:
issue 777299



Sign in to add a comment

Security: saved passwords can be seen without entering the password of the Windows account

Reported by drn...@gmail.com, Apr 28 2016 
VULNERABILITY DETAILS
Saved passwords can be seen without entering the password of the Windows account

VERSION
Chrome Version: 51.0.2704.29 beta-m (64-bit)
Operating System: Windows 7 64 bit SP1, with automatic login for a user with administrative rights 

REPRODUCTION CASE
After restarting the computer, starting up Chrome immediately and opening settings/passwords, the saved passwords can be shown for a minute or two without being asked for the password of the Windows account. I could reproduce the issue several times after restarting the computer.

Chrome Extensions in use:
- AdBlock v2.56
- Application Launcher for Drive (by Google) v3.2
- Chromium Wheel Smooth Scroller v1.4.1
- Google Docs Offline v1.4
- Speed Dial 2 v2.1.2

Automatically starting Windows apps:
- Avast
- Comodo
- Tobii EyeX
- Logitech Gaming Software
- AMD Radeon Settings
- ASUS GPU Tweak

Comment 1 by rsesek@chromium.org, Apr 28 2016

Components: UI>Browser>Passwords
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Windows Pri-2 Type-Bug
Owner: wfh@chromium.org
Status: Assigned (was: Unconfirmed)
We don't consider this a security issue because physically local attacks are outside Chrome's threat model (http://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-).

However this may be a functional bug, since the password prompt should run.

Comment 2 by kolos@chromium.org, Jan 26 2018

Blocking: 777299

Sign in to add a comment