New issue
Advanced search Search tips

Issue 671642 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Autofill Password Workaround

Reported by skyecoli...@gmail.com, Dec 6 2016 
VULNERABILITY DETAILS
Using the Inspect feature in an Autofill password box will display password with minimal additional work.

VERSION
Chrome Version: 54.0.2840.99 m (64-bit) stable
Operating System: Windows 10 Home, also tested on Mac OSX (unknown version) and Chromium OS.

REPRODUCTION CASE
To replicate, go to a login webpage which Autofills from Chrome. Then, click in the password box and right-click, bringing up the additional navigation box. Click "Inspect", which should be the bottom option. Within the blue highlighted portion of code in the "Inspect" box, find: type="password". Then, double-click the word "password" and type "text" in its place. After pressing the return key, the Autofill password will be visible.

Note: pressing CTRL+SHIFT+I while password box is selected will not work, and will only inspect the main body page. The "Inspect" button specifically inspects the password box. 

I have attached a 42 kilobyte screenshot of the replicated action.
Autofill Inspect Exploit.jpg
46.2 KB View Download

Comment 1 by skyecoli...@gmail.com, Dec 6 2016 

This exploit is significant because it:
1. Is easy to use
2. Can be used frequently (Autofill is a common feature)
3. Can easily compromise valuable personal information

Comment 2 by elawrence@chromium.org, Dec 6 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
Please see https://dev.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools-

One of the most frequent reports we receive is password disclosure using the Inspect Element feature (see https://code.google.com/p/chromium/issues/detail?id=126398 for an example). People reason that "If I can see the password, it must be a bug." However, this is just one of the physically-local attacks described in the previous section, and all of those points apply here as well.

The reason the password is masked is only to prevent disclosure via "shoulder-surfing" (i.e. the passive viewing of your screen by nearby persons), not because it is a secret unknown to the browser. The browser knows the password at many layers, including JavaScript, developer tools, process memory, and so on. When you are physically local to the computer, and only when you are physically local to the computer, there are, and always will be, tools for extracting the password from any of these places.

Sign in to add a comment