Chrome Version       : Version 53.0.2785.89 m
URLs (if applicable) : mail.google.com
Other browsers tested:
  Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
     Safari: not tested
    Firefox: OK
         IE: OK 

Please note that whilst this uses the Dev Tools to reveal the password this is NOT the crux of the issue. (I am aware that this is one of the most reported 'bugs' you folks receive.) 

What blew my mind was when I went to create a new Gmail account. I was not logged into any of my Google accounts, however when creating a new account, Chrome offers the option to 'use a password for'  and then lists the passwords for accounts on that machine - even when the user is not logged in to any Google account. 

I am fully aware that saved passwords are of course saved by the OS and anyone with a modicum of knowledge can expose these. 

I see this as fundamentally different. Chrome / Gmail is actually offering the option to use passwords to someone who did not know them and would not necessarily have had the skills to find them. These passwords can then be revealed with the simple Dev tools trick. 

Chrome has no control over password storage in the OS and I know that you view any local attack as beyond the scope of Chrome security, once someone has access to your machine, you're basically knackered! I do see a major difference between this however, and actually offering up passwords when a user is not logged into a Google account - this strikes me as a significant weakness that can easily be exploited. 

Personally I cannot see why this option is offered at all, it does seem rather odd. 

The following link is to an (unlisted) YouTube video with a quick demo - I'd welcome your feedback on this one.

https://www.youtube.com/watch?v=GNSr7jqSl_4 

With best regards,

David Pride.