Issue metadata
Sign in to add a comment
|
Security: ACESSING ANY ASTERISK PROTECTED LOCAL STORED PASSWORD BY MODIFYING A CODE LINE
Reported by
nestorsa...@gmail.com,
May 2 2016
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS I found that I can get any stored password in GOOGLE CHROME BROWSER by simply modifying a code line. Normally stored passwords are shown alongside with the stored account in any service (Facebook.com; gmail.com; hotmail.com; etc...) but the password is protected having the characters as simple asterisks like this: username: dsres1213@anymail.com password: ******** When doing click with the right button of the mouse inside the password box you can choose the option "inspect" or simply press f12 and you will access the console. Beinge there we will find the code line having this info: type:"password" When I modify that line into this: type:"text" The password that was few moments ago protected with asterisks, become normal characters again, like this What was before modifying the code line: username: dsres1213@anymail.com password: ******** After modifying code line: username: dsres1213@anymail.com password: trial123 This seems to be a serious threat to privacy and users security because there is a lot of people accessing other people's laptops and devices and if they know about this vulnerability, they can easily get access to different accounts and services. For example; a Technician receiving dozens of pcs and laptops daily with many stored accounts for different services from facebook to banking platforms. Knowing about this vulnerability the technician has at his hand the possiblity of getting another person private and critical information by simply modifying a code line. And not only in that scenario, anyone knowing about this bug, has a great potential to get personal information from any device accessed. VERSION Chrome Version: [Version 49.0.2623.112] + stable Operating System: [Windows 7 64 bits, Service Pack 1] REPRODUCTION CASE FOR REPRODUCTION, I'M ATTACHING SOME SCREENSHOTS EXPLAINING THE PROCESS STEP BY STEP.
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by rsesek@chromium.org
, May 2 2016Status: WontFix (was: Unconfirmed)