New issue
Advanced search Search tips

Issue 615690 link

Starred by 3 users
Status: Available
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 3
Type: Feature

Blocking:
issue 714610



Sign in to add a comment

Implement OS reauthentication for viewing passwords on CrOS and GNU/Linux

Reported by ravather...@gmail.com, May 29 2016 

Click on save password option after you logged into some website. The attacker can view the saved passwords easily without any difficulty as there is no pop up asking for login password or something else.

When user clicks on settings > manage passwords and clicks on show password it must give a pop up asking the user to enter the login password but in linux thats missing.

The user saves his password on his PC on chrome. 
If you are using chrome you can go to settings > manage passwords and see the passwords easily. They are neither in encrypted form nor the browser is prompting for a login password. But in windows if you try the same you have to enter the login password of the system to view the saved passwords in text format whereas in Kali Linux its not present. If the attacker don't know the login password he wont be able to view them.
The attacker can take some other persons/friends laptop/pc and cam view the passwords easily even if he don't know the password of the system.

Privacy of the users using Linux is at 100% risk.

Comment 1 by jonathan.garbee@chromium.org, May 29 2016

Components: -Privacy UI>Browser>Passwords
Labels: OS-Linux Type-Feature
Summary: System password not asked for on Linux to view password manager (was: Privacy at risk)
Privacy is hardly at risk of someone has physical access. The manager is just a convenience for an "attacker" in this scenario. Anyone can easily open DevTools and change the input type to "text" after a password is autofilled and see the password.

Forwarding into the Password UI team to look into viability of adding a password request on viewing the manager in Linux as we do with other OSes. However this never was nor ever will be a privacy issue.

Comment 2 by vabr@chromium.org, May 31 2016

Labels: Hotlist-Polish OS-Chrome
Status: Available (was: Untriaged)
Summary: Implement OS reauthentication for viewing passwords on CrOS and GNU/Linux (was: System password not asked for on Linux to view password manager)
I agree that both Chrome OS and GNU/Linux should match the behaviour of Mac and Windows here. The original launch bug 303113 for the reauthentication (internal only) and the design doc linked there seem to plan this for all desktop OSes (though GNU/Linux is never mentioned explicitly), not sure why those got dropped silently.

To actually implement this on CrOS and GNU/Linux is mainly a question of finding engineers with time to do it. The priority is low, because of how small the user base on the missing two systems is.

Comment 3 by kolos@chromium.org, Apr 24 2017

Blocking: 714610
Project Member

Comment 4 by sheriffbot@chromium.org, Apr 25 2018

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by vasi...@chromium.org, Apr 26 2018

Status: Available (was: Untriaged)
We won't get to this feature this year.

Sign in to add a comment