New issue
Advanced search Search tips

Issue 608244 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: May 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: ACESSING ANY ASTERISK PROTECTED LOCAL STORED PASSWORD BY MODIFYING A CODE LINE

Reported by nestorsa...@gmail.com, May 2 2016 
VULNERABILITY DETAILS


I found that I can get any stored password in GOOGLE CHROME BROWSER by simply modifying a code line. 

Normally stored passwords are shown alongside with the stored account in any service (Facebook.com; gmail.com; hotmail.com; etc...) but the password is protected having the characters as simple asterisks like this:

username: dsres1213@anymail.com    password: ********

When doing click with the right button of the mouse inside the password box you can choose the option "inspect" or simply press f12 and you will access the console. Beinge there we will find the code line having this info: 

type:"password"

When I modify that line into this:

type:"text"

The password that was few moments ago protected with asterisks, become normal characters again, like this

What was before modifying the code line:

username: dsres1213@anymail.com    password: ********

After modifying code line:

username: dsres1213@anymail.com    password: trial123

This seems to be a serious threat to privacy and users security because there is a lot of people accessing other people's laptops and devices and if they know about this vulnerability, they can easily get access to different accounts and services. For example; a Technician receiving dozens of pcs and laptops daily with many stored accounts for different services from facebook to banking platforms. Knowing about this vulnerability the technician has at his hand the possiblity of getting another person private and critical information by simply modifying a code line. And not only in that scenario, anyone knowing about this bug, has a great potential to get personal information from any device accessed.



VERSION
Chrome Version: [Version 49.0.2623.112] + stable
Operating System: [Windows 7 64 bits, Service Pack 1]

REPRODUCTION CASE

FOR REPRODUCTION, I'M ATTACHING SOME SCREENSHOTS EXPLAINING THE PROCESS STEP BY STEP.

Comment 1 by rsesek@chromium.org, May 2 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
What you are describing is not a security issue and is covered by our security FAQ: http://dev.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools-
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment