New issue
Advanced search Search tips

Issue 609111 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: May 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Google Chrome "Manage Passwords" Vulnerability

Reported by 4myadsen...@gmail.com, May 4 2016 

VULNERABILITY DETAILS

By default Google Chrome prompts you to save passwords while we are trying to log into a particular online services, For example Facebook Twitter. These saved passwords readily available for anyone with an unlocked computer. This issue is very critical, when it comes to shared computers. If someone forgets to unlock or log out of their access, another user can easily use the "Show advanced settings" feature under "Settings"to view the saved passwords with out the Admin access password.  

In my office alone, there were several instances where colleagues exploited this
feature/Bug to threaten people they don't like
 

VERSION

Chrome Version: Version 50.0.2661.94 m
Operating System: Windows 8.1

REPRODUCTION CASE

The issue can be resolved by inducing admin access while trying to "view" the saved password from the Advanced setting section.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

Not Applicable
Google CHrome Bug.jpg
70.6 KB View Download

Comment 1 by wfh@chromium.org, May 4 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
Anyone with physical access to a shared computer can do anything they like on the machine including, but not limited to, installing keylogger, installing malware, reading all the user data on the machine.

There is nothing Chrome can do to prevent these types of attacks - see the FAQ entry for more - https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

The recommendation is to separate physical people by separate, password protected user accounts, and also lock your screen when you are away from your computer.

Aside, your proposed solution to require admin access to show a password would not work for those people who do not have admin access on their workstation e.g. in a corporate environment.

Comment 2 by 4myadsen...@gmail.com, May 6 2016 

This is about Chrome and not about installing a malware. A person in your
position, how can you easily
squash a critical security flaw of one of your leading products ?

Best

Athul
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment