This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: [51.0.2704.84] + [stable]
Operating System: Windows 10, win7 SP1, GNOME 3.0, MacOS 10.11, other linux, windows XP sp2 

REPRODUCTION CASE
The vulnerability is that anyone with access to account x can see the other's passwords. All you have to do to see the passwords is to acquire local user x's logon, then go into chrome. in the access bar, type chrome://settings/passwords, and click show. 

One application of this is on a server. There could be an inside job, where one foolish company member logs into Chrome on the workstation, yet the hacker uses it as a Remote Desktop as Administrator. The hacker resets the user password, then opens Chrome. He either types chrome://settings/passwords or he installs a screen recorder that captures the passwords through a redirect in a website. Let's say he set the homepage as x.com. The hacker changes this to x.(net, org, or any others), and codes the page to redirect to chrome://settings/passwords. The user sees a local logon as he sees the prompt. The foolish user logs on, and as he clicks show, his screen is being captured by the malware, or the hacker sees it via impersonating the fool. 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: (N/A)
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]