New issue
Advanced search Search tips

Issue 655347 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Easy way to stole saved password from google chrome

Reported by tolya.ko...@gmail.com, Oct 12 2016 

VULNERABILITY DETAILS
You could steal saved passwords from other pc's using developer console.

VERSION
Chrome Version: all versions
Operating System: Windows 7 and above

REPRODUCTION CASE
1) Await while person leave you alone to do something on its pc
2) Open chrome://settings/passwords - to find out all sites where passwords are saved.
3) Visit all sites you are intrested in
4) Log out if needed
5) Open developer console ctrl+shift+j at network tab
6) submit a form and stop a request before response coming up (prevent page refreshing)
7) Find out a non-stared password in form-data section
8) profit

  
SUGGESTIONS:
Hide all form-data fields values from developer console that equals to password.

Google chrome
1_password.png
99.0 KB View Download
2_site.png
94.8 KB View Download
3_stolen.png
111 KB View Download

Comment 1 by mmoroz@chromium.org, Oct 13 2016

Status: WontFix (was: Unconfirmed)
Thanks for your report. Physically-local attacks are out of Chrome's threat model. Please see the following links for an additional info:
- Reporting Security Bugs page: https://www.chromium.org/Home/chromium-security/reporting-security-bugs
- Security FAQ: http://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 19 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment