New issue
Advanced search Search tips

Issue 672898 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Dashlane Password manager shows passwords from Chrome

Reported by navin.na...@gmail.com, Dec 9 2016 
VULNERABILITY DETAILS
I discovered a security flaw with Google Chrome on Windows 10 Pro. 

I installed an application called Dashlane, created a new account, and I launched it for the first time. I immediately noticed several accounts that were automatically imported with usernames and passwords readily viewable. However, the passwords were not just my own. It listed the accounts of friend's and coworker's as well. With a few simple clicks I was able to view the password. I can understand sharing usernames / email addresses with 3rd party applications, but passwords is unacceptable.

Essentially a person with access to another person's computer (i.e. IT staff, computer repair technician, family / friend, contractor, etc.) can essentially perform the aforementioned steps and voila be able to gain access to important email, social media, payments, etc.

This issue could also be prevalent in other browsers that Dashlane and other password managers integrate with.

P.S. I just learned about the Chrome Reward Program and hope this warning will qualify for a sizable monetary award and public recognition

--------------------------------------------------
VERSION
Chrome Version: [54.0.2840.99 m] + [stable]
Operating System: [Windows 10 Pro]

--------------------------------------------------
REPRODUCTION CASE
I replicated the process on a friend's computer to confirm it was not an anomaly. I installed an application called Dashlane, created a new account, and I launched it for the first time. Again, there were several accounts of friends and coworkers listed in addition to his own personal account. With a few simple clicks he was able to view the password.

--------------------------------------------------
Please feel free to contact me with any questions, comments, concerns, or suggestions. I hope to hear from a member of your technical staff soon.

Best,
Navin D. Nathan
navin.nathan@gmail.com
(732) 501-6088

Comment 1 by navin.na...@gmail.com, Dec 9 2016 

I understand why the sharing aspect and automatic import features were designed, but passwords should always be encrypted. The fact that I can simply download an application, create a random account with an unverified email address, view all of the accounts associated with that PC, and uninstall the application to remove any traces is extremely concerning.

The feature should be limited to transfering URLs, usernames, and email addresses only. The user than can than choose to enter their passwords. Alternatively, the user should be prompted to reenter the passwords for each account they wish to import. Presumably these would be their own accounts thereby maintaining the security of their family, friends, and peers / coworkers.

Best,
Navin

Comment 2 by elawrence@chromium.org, Dec 9 2016

Summary: Security: Dashlane Password manager shows passwords from Chrome (was: Security: Google Chrome / Dashlane - Security Flaw)
<<Essentially a person with access to another person's computer (i.e. IT staff, computer repair technician, family / friend, contractor, etc.) can essentially perform the aforementioned steps and voila be able to gain access to important email, social media, payments, etc.>>

The FAQ explains why physically local attacks are not within the browser's threat model:
https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

If multiple users share a single PC, each user should use an individual Operating System Login Account (e.g. a "User Account" on Windows). That way, the OS is responsible for isolating information between the individual users. Sharing a single OS login account with untrusted parties is never safe, on any OS, with any browser, for the reasons described in the FAQ.

Comment 3 by navin.na...@gmail.com, Dec 9 2016 

I definitely understand your point in a corporate setting, but in the real world it does not work like that. People share computers all the time. Even something as simple as having a shared computer in a meeting room for presentations (I tried it at a client's). In enterprise infrastructures, higher standards are definitely adhered to. I largely work with small to mid-sized business where a vulnerability like this can leave them exposed.

I don't think passwords should be this easy to discover whether malicious and intentional or accidental. If a password is saved within Chrome, it should be restricted for use within the application (i.e. to login to specific websites) and encrypted if shared with other applications.

Comment 4 by wrengr@chromium.org, Dec 12 2016

Status: WontFix (was: Unconfirmed)
As elawrence@ says, physically-local attacks aren't covered by our security policy
Project Member

Comment 5 by sheriffbot@chromium.org, Mar 21 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment