Issue metadata
Sign in to add a comment
|
Security: Developer console logs passwords fields in clear text.
Reported by
amitsing...@gmail.com,
Feb 12 2017
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Chrome developer console logs the password fields in clear text. This creates a security risk and makes it easier to steal passwords. e.g. attacker can open on the developer console, enable preserve log, detach and minimize the console window. Now attacker can invite victim to login to a secured site. Once the victim is done, attacker can go to the network tab and get the password. Possible Solution: One possible solution is to log the password fields using the public key of website being visited. If the website is using http itself, then it's okay to log the password as clear text. This will save end users from stealing their passwords and at the same time let real developer find the clear text in developer console in their dev/test environments (if need be) VERSION All
,
Feb 12 2017
Thanks for the report. However, this is a physically local attack, and thus it is not within Chrome's threat model. As #1 says, if an attacker has physical access to your machine, there is basically nothing Chrome can do to stop them. See https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools-
,
Feb 12 2017
I think it's the ease with which one can do this makes it a vulnerability and that too on victims computer. As an experiment, I tried to trick my friends (technical guys) and they all fell for it and that too on their computers. Once I told them, everybody mostly agree that this should be handled better.
,
May 22 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Feb 12 2017