New issue
Advanced search Search tips

Issue 664396 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Nov 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Saved passwords in chrome can be shown directly without windows admin/user password.

Reported by pavanamb...@gmail.com, Nov 11 2016

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Saved passwords in chrome can be shown without admin/user passwords , via inspect-element item. when you right click on saved password, as shown in pics, and click inspect element. when you change password field to text it directly shows password, without asking any security questions. This is serious bug, and need to fixed immedietly.  


Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 54.0.2840.87 m  + stable
Operating System: Windows 10/8 hpme/professional

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]

 
Saved password bug.rar
585 KB Download

Comment 1 by rickyz@chromium.org, Nov 11 2016

Status: WontFix (was: Unconfirmed)
Physically local attacks are outside of the threat model and are not considered vulnerabilities. Please see 
https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools-

Project Member

Comment 2 by sheriffbot@chromium.org, Feb 17 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment