Issue metadata
Sign in to add a comment
|
Security: Users may not recognize that password sync is enabled
Reported by
2087den...@gmail.com,
Oct 25 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Google Chrome syncs local passwords to an online account what can show passwords in clear text (The Google password service). The vulnerability is that Google Chrome ASSUMES that first account logged in is the real user of Chrome. That assumption is so wrong! Another user could borrow the computer, use Chrome, Log on Chrome. This way he will get all local passwords synced to his account. To delete his tracks, he just delete his Chrome account and everything looks normal to the real user. VERSION Chrome Version: [54.0.2840.71 m] Downloaded 25.10.2016 from https://www.google.com/chrome/ Operating System: [Windows 7 with lastest SP and fully patched] REPRODUCTION CASE 1. Make a brand new installation of Windows 7 with all SP and patches on, Install lastest Chrome from https://www.google.com/chrome/ 2. Access a website, login with username and password. Tell Chrome to save the username/password. 3. Close Chrome. Start Chrome. Access same website and ensure that Chrome supply the username and password for the website. Here is the vulnerability: Many people don't use the "log on Chrome" functionality. They just use Chrome "offline" - no problem in that (in this scenario). But when the "Log on Chrome" function is used for the first time, then Chrome ASSUMES! that this user is real owner of the computer/real user of Chrome. That assumption is so wrong! But anyway Chrome begins a sync. of the saved passwords to this newly logged in online user account. After 2 seconds, the local passwords can be viewed in clear text from another computer pointing at https://passwords.google.com -login with same account used before in Chrome. I know that Google is not aware of this vulnerability, because then it would have been handled already. This vulnerability have been open for at least 8 month... This is a real life example: I was not aware that in the last 8 months (at least), I have been collecting usernames and passwords this way for over 30 persons (customers). Just by doing the above procedure. Legally too, because Google Chrome helped me. I have so many passwords now, but the most are not mine... I am sure that I am not the only one who is doing this. Google Chrome is one of the most used browsers in the world. So I guess you now have a very big task. First you need to close the vulnerability and that may be easy, compared to that you need to sort out and remove any passwords that don't belong to the accounts.. (is that even possible?). Good luck. I am looking forward for some seriously $$$ for investigating and telling you this. I run a little company IT+NET, you just call me if you need help. I am specialized, also in security. Best regards, IT+NET Produktionsvej 8-10 2600 Glostrup, Denmark Owner: Dennis Siggaard mail: dennis@itognet.dk phone: +45 20873979
,
Oct 25 2016
,
Oct 27 2016
Thank you for your replies. Will you verify to me, that this is an issue that Google won't fix, please. Thank you.
,
Feb 1 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 25 2016Summary: Security: Users may not recognize that password sync is enabled (was: Security: Google Chrome reveals passwords to the wrong user)