New issue
Advanced search Search tips

Issue 672451 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Dec 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Password manager allows user to view passwords without authenticating on Linux

Reported by benwmora...@gmail.com, Dec 8 2016 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.100 Safari/537.36

Steps to reproduce the problem:
1. Settings > Advanced Settings > Manage Passwords
2. Show Passwords

What is the expected behavior?
When I go to passwords.google.com, I have to sign in before being able to view managed passwords. I'd expect to have to authenticate when going through the browser, but I don't.

What went wrong?
I can view my passwords without authenticating. My Mac requires that I type a password before viewing, but my Ubuntu 16.04 machine can view it without a prompt. I'm not sure if it's an issue on Chrome's side or Ubuntu.

Did this work before? N/A 

Chrome version: 54.0.2840.100  Channel: n/a
OS Version: 
Flash Version: Shockwave Flash 23.0 r0

Comment 1 by elawrence@chromium.org, Dec 8 2016

Components: UI>Browser>Passwords
Status: Untriaged (was: Unconfirmed)
Summary: View passwords without authenticating on Linux (was: View passwords without authenticating)
Windows also requires the user type their user-account password to show a password.

From a security point-of-view, this is a relatively minor issue, insofar as a local attacker can collect the passwords in other ways; he can, for instance, navigate to a site and then use the developer tools to collect the auto-completed password.

The PasswordManagerPresenter::IsUserAuthenticated() function only performs checks for Mac and Windows. https://cs.chromium.org/chromium/src/chrome/browser/ui/passwords/password_manager_presenter.cc?q=AuthenticateUser&sq=package:chromium&dr=C&l=329

Comment 3 by elawrence@chromium.org, Dec 8 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: Untriaged (was: WontFix)
Summary: Password manager allows user to view passwords without authenticating on Linux (was: View passwords without authenticating on Linux)
Removing security flags (per comment #2) but sending to the Password Manager team to consider as a functionality bug or otherwise explain why Linux differs here.

Comment 4 by vabr@chromium.org, Dec 13 2016

Labels: OS-Chrome
Status: WontFix (was: Untriaged)
This is known. Neither GNU/Linux nor Chrome OS reauthenticate the user before allowing to view the passwords. It is unfortunate that this feature is inconsistent across platforms, but changing it has negligible priority, given that there are basically no benefits (see #2).

Comment 5 by elawrence@chromium.org, Feb 26 2017 

 Issue 696330  has been merged into this issue.

Sign in to add a comment