New issue
Advanced search Search tips

Issue 670446 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Password remembering security flaw.

Reported by stephans...@gmail.com, Dec 1 2016 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Clientsided bruteforce on password protection. (can be done offline.)
Requires: Access to chrome of target (Teamviewer or on-sight for example.)

VERSION
Chrome Version: [54.0.2840.99 m (stable)]
Operating System: [Windows 7 Professional Service Pack 1]

REPRODUCTION CASE
In the attachment you can find an example. I click on the "Create a password" textbox and it gives me the option to use password for: (other email)
It only fills in one, and the second one is open to fill in.
Once both passwords match, the text will turn green, making it possible to use scar or some other scripting software to bruteforce quite easily.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
ClientsideBFsetup.png
95.4 KB View Download

Comment 1 by stephans...@gmail.com, Dec 1 2016 

Severity: High
I would fix this by simply removing the feature or filling in both. As it stands the feature is obsolete in account creation.

Comment 2 by och...@chromium.org, Dec 1 2016

Labels: -Restrict-View-SecurityTeam allpublic
Status: WontFix (was: Unconfirmed)
physical attacks are not in Chrome's security model. Please see https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

Comment 3 by stephans...@gmail.com, Dec 1 2016 

Though I would understand this normally, the problem here is that stolen
laptops can be used to crack (Google account) passwords. I recently had my
surface pro stolen so I am a little skitterish about this... Will contact
other sources if you are not willing to fix this issue in the password
remembering feature. If I find out that my issue was taken into
consideration even though it is stated to be a "WontFix" I will send a
resume for your job instead.

Comment 4 by tsepez@chromium.org, Dec 2 2016 

We'll keep that in mind.  In the mean time, we'd like to once again direct your attention to the Security FAQ:

To stop people from reading your data in cases of device theft or loss, use full disk encryption (FDE). FDE is a standard feature of most operating systems, including Windows Vista and later, Mac OS X Lion and later, and some distributions of Linux.

Sign in to add a comment