New issue
Advanced search Search tips

Issue 609088 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: May 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Reveal saved password in 10 seconds

Reported by gravou...@gmail.com, May 4 2016

Issue description

I noticed that on every login page (fb, google, yahoo...), when you are not connected and that Chrome knows your data (without displaying them of course), if you are a little curious by just inspecting the page you get this about the password: 

<input name="passwd" id="login-passwd" class="login-input  pure-u-1" type="password" maxlength="64" tabindex="2" aria-required="true" placeholder="Password" title="Password" autocorrect="off" autofocus="">

And by just changing ""type=password" by "type=text" it shows the password...!

VULNERABILITY DETAILS

Its means that anyone who get access to the computer directly or via a VPN can reveal any passwords quite easily and that the settings/managing passwords is not secured at all.

VERSION
Chrome Version:  50.0.2661.94 (64-bit)
Operating System: [MAC OS, El Capitan version beta 10.11.5]

REPRODUCTION CASE
Just do as explained before and you can see any passwords on any computer
 
Capture d’écran 2016-05-04 à 13.53.57.png
116 KB View Download
Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
What you are describing is not a security issue and is covered by our security FAQ: http://dev.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools-
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment