New issue
Advanced search Search tips

Issue 653391 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Oct 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Feature



Sign in to add a comment

Auto Complete may propagate typos to a password verification field

Reported by esteban....@gmail.com, Oct 6 2016 


VULNERABILITY DETAILS

It's not much of an exploit, but it can lead to a security breach for an individual. The password auto-complete feature inputs passwords in both the initial login screen, and when it requests the user to input their password for verification reasons. (change the password) 

It seems pointless for a second verification login when chrome will just auto-fill the information for you.

Without using any tools, a user with hardware access can change an account password. ~not fun.

VERSION
Should not matter.

Comment 1 by tsepez@chromium.org, Oct 6 2016

Components: UI>Browser>Passwords
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Pri-3 Type-Feature
Status: Available (was: Unconfirmed)
Summary: Auto Complete may propagate typos to a password verification field (was: Security: Auto Complete )
See https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- for a discussion about why this isn't a security issue.

There may or may not be a small functional issue here, however.  The purpose of a verification it to make sure you typed the intended password correctly, given that it is masked to prevent 'shoulder-surfing'.  Having chrome autocomplete the field might be an issue, since any typos would be passed through as-is.

However, given that the chrome password manager knows the correct value, we might not care, and this makes things easier in that case.  Re-assigning as a functional issue.

Comment 2 by vabr@chromium.org, Oct 18 2016

Labels: Hotlist-Polish
Status: WontFix (was: Available)
Thanks for the report and for the comment in #1, which I agree with.

Filling the password is important for the main use-case: transferring the burden of remembering the password from the user to Chrome. Retyping stuff for verification is meant for humans and it is pointless for computers taking care of the data. But that's the issue of the page, not Chrome.

Sign in to add a comment