New issue
Advanced search Search tips

Issue 635362 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome Random Auto Fill Password

Reported by aaronlau...@gmail.com, Aug 7 2016 
VULNERABILITY DETAILS:
On June 26th, 2016 (Didn't report then cause I didn't know yall gave rewards) I logged into my Chrome Book that no one else uses and when I went to Facebook there was a email and password in the auto fill which wasn't mines. I logged into it and I ended up on Zack Jake's account who's a client of mines and on my friends list. He lives in the UK, and I live in Houston, Texas. I was able to fully access his account and pardon my behavior but I recommend my services by posting an add on his profile (Not sure if he ever noticed) & I'll send a screenshot.

VERSION: 
If the Chromebook updates automatically then it was the version as of June 26th, 2016 @ 8:36PM US CENTRAL time.

Operating System: Chrome OS, of June 26th, 2016 @ 8:36PM US CENTRAL.

REPRODUCTION CASE:
Not 100% sure how it happened.

ADVICE & POTENTIAL SOLUTION:
Cookies are saved by specific browsers on specific computers from my knowledge and this guy lives in London, so it shouldn't be that. This one is actually got me pretty good, but this guy is my client so the only way I could see this happening is if the Auto Fills are saved in the logged in Google account and his Auto Fill was somehow switched with mines. So if my account was logged in on the remote VPS my client was using for his website (It was not when I checked) then that could have somehow transferred the password to my Chromebook's auto fill if he logged into Facebook on the VPS.

Don't have auto fill passwords saved within a Google account, that's not really secure. Auto Fills should only be saved on a specific computer in a specific browser on whatever specific (personal computer account) the person is logged into.

My unnecessary comment:
A reward would help fund my technology startup business designed to increase VPS hosting profits by 1,000% - 10,000% and I already have a working prototype. Every company I spoke to said they've never seen a VPS hosting method like it before and I need funding to do further development and take it to the next level. Thanks.
Screenshot_2016-08-07-16-47-00.png
543 KB View Download

Comment 1 by raymes@chromium.org, Aug 8 2016

Status: WontFix (was: Unconfirmed)
Hi there, thanks for the report. We would need reliable reproduction instructions in order to properly triage this. 

With respect to Chrome's autocomplete feature: this is a feature of Chrome which many find useful and the security and privacy risks associated with it have been carefully weighed. Note that it is possible for users to turn off this feature if they desire: https://support.google.com/chrome/answer/165139?co=GENIE.Platform%3DDesktop&hl=en

I will close this as WontFix for now but if you are able to reproduce this consistently, please file a new bug with detailed instructions and we will be able to triage it further. Thank you!
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 14 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment