Locked keyring chrome still displays passwords in chrome://settings/passwords
Reported by
przemek...@gmail.com,
Jun 10 2016
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 Steps to reproduce the problem: 1. login to ubuntu, lock the login keyring 2. open chrome, click cancel on the prompt that asks to unlock keyring 3. open chrome://settings/passwords, you can see all passwords without being prompted for keyring What is the expected behavior? What went wrong? passwords show in chrome even though keyring is locked Did this work before? N/A Chrome version: 51.0.2704.84 Channel: stable OS Version: Ubuntu 14.04 Flash Version: Shockwave Flash 21.0 r0
,
Jun 10 2016
+rsleevi@ per wfh@.
,
Jun 10 2016
Thanks for the report. Could you please follow http://crbug.com/583263#c9 and check whether your instance of Chrome does not use the profile SQL database instead of the Keyring? I tested on my machine (GNU/Linux with Cinnamon, Chrome 51.0.2704.84 (Official Build) (64-bit)) that when I lock the keyring, passwords disappear from chrome://settings/passwords, and when I unlock it (and refresh the settings), they appear again.
,
Jun 10 2016
A side note: we plan to migrate Chrome from using the Keyring, bug 571003, so in the future, all instances will use the profile login database and will not depend on the keyring.
,
Jun 10 2016
wfh: Not sure why you suggested me. I haven't the slightest for the password management code (only how we use the OSCrypt functionality, but AIUI, the password manager doesn't do that)
,
Jun 10 2016
,
Jun 12 2016
Yes when I lock and unlock keyring it works as you described. So actually what happened is I changed my keyring password to be different than my login password, and what chrome did on boot is it switched to using the sqllite database and quering that table revealed all my passwords. Once I switched the keyring password back to be the same as login password, the sqllite database disappeared and it started using keyring again. So somehow chrome is able to get the passwords from somewhere and put them into the sqllite database? Oh right, probably from the cloud?
,
Jun 12 2016
Thank you for providing more feedback. Adding requester "vabr@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 13 2016
Thanks for the clarification in #7. It is unfortunate that Chrome would fall back to the login database without noticing the user. This would definitely be something we need to fix, were it not for getting rid of the whole Keyring backend for storing passwords (bug 571003). However, even without storing passwords in the Keyring we will use the Keyring to store the passphrase for encrypting the passwords in the database. We must make sure that we won't silently fall back to not encrypting the passwords if the keyring is temporarily inaccessible. I filed bug 619485 to track that. As for Chrome switching back to the keyring: that should only work if you sync your passwords through Chrome Sync. If you don't, there is no local migration mechanism which would do that. While this definitely is an issue, the quickest way forward for us is still to finish the transition in bug 571003 and prevent the reincarnation of this issue in bug 619485. Fixing the current state would delay the former, which has also other benefits. Therefore I'm marking this as WontFix. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by nparker@chromium.org
, Jun 10 2016Components: UI>Browser>Passwords
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug