New issue
Advanced search Search tips

Issue 692890 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Feb 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Autofill data username/passwords/creditcards

Reported by luismi...@gmail.com, Feb 16 2017 
VULNERABILITY DETAILS
Autofill data can be obtained without system password. Although the attack 
vector is small and requires access to a user's Chrome Browser physically the data in Autofill can be obtained without having the system password. Which is prompted in the
settings page chrome://settings/passwords if the user wants to see the plaintext
values. [Screenshot 1]

VERSION
Chrome Version: 56.0.2924.87 (64-bit) + stable
Operating System: macOS Sierra 10.12.3

REPRODUCTION CASE
1. Go to a website that the user has previously saved sensitive data in autofill. [Screenshot 2]
2. Open the developer console and go to the network tab.
3. Click sign in and inspect the request sent by the browser to login [Screenshot 3]
4. You should see the username and password in plaintext.

The same can be used to get credit card values from autofill.

Thanks,
Screenshot1.png
372 KB View Download
Screenshot2.png
816 KB View Download
Screenshot3.png
399 KB View Download

Comment 1 by raymes@chromium.org, Feb 16 2017

Status: WontFix (was: Unconfirmed)
Thanks for the report. This is classed as a physically local attack and so doesn't fall into our threat model. You can find more details here: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-
Project Member

Comment 2 by sheriffbot@chromium.org, May 25 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment