Issue metadata
Sign in to add a comment
|
Security: Login credentials (for any site) are stored even if user chooses "never" when logging in
Reported by
cipher...@gmail.com,
Feb 28 2017
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS This is a scenario where login state is kept even without users approval. Please see description below. VERSION Chrome Version: [56.0.2924.87 (64-bit)] + [stable] Operating System: [Windows 8.1 X64] REPRODUCTION CASE To reproduce the issue a user can log in normally to any site and choose "never" to remember the password by the browser and of course uncheck "remember password" in the site. If the browser process is killed at this point (intentionally or unexpectedly), the user will still be logged in the site even if "restore" was not selected upon the next startup. Best Regards,
,
Feb 28 2017
As mentioned in #c1, the browser does not remember your password, but retains the Cookie that the server asked it to store in its Cookie Jar. To confirm that the browser is not storing the username and password when instructed to not store them, you can log out of the site in question and go back to the login page. At that point, your username and password should not be auto-filled (or a dropdown for username/password shown). If you see a different behavior, please feel free to post that information here and re-open the bug.
,
Jun 7 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Feb 28 2017