New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 707600 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2017
Cc:
ew...@chromium.org
zea@chromium.org
mastiz@chromium.org
tschumann@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Snapshotting stored passwords for users on a system using sync that are later decrypted on a separate system

Reported by maybehar...@gmail.com, Apr 3 2017 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
By signing out a user on system (A) on a target machine, logging with with a known account and logging back out again you can snapshot the systems saved passwords. Then by going to a separate owned machine(B), it is possible to log on with the known account, access the password manager through the settings menu and use the local operating system credentials to decypt the passwords. Providing cleartext passwords and user names for all accounts on the first system (A), including passwords that do not belong to the known account.

VERSION
Chrome Version: Version 57.0.2987.133 (64-bit) Stable
Operating System: [Windows 10 v1607 build 14393.953]

REPRODUCTION CASE
Attacker logs on to target system with his account, attacker logs off after syncing
Attacker accesses owned machine and navigates to the password manager in the settings menu
Attacker decrypts target system passwords and has access to usernames using the owned system operating system credentials.

Comment 1 by dominickn@chromium.org, Apr 3 2017

Cc: vabr@chromium.org zea@chromium.org ew...@chromium.org
Components: UI>Browser>Passwords Services>Sync
Security wise, this seems like an attack which requires physical access to the target system to execute, in which case it's difficult to do very much about it (see https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-)

I'm not 100% across the expected behaviour when you have multiple accounts logging in and syncing, and what should happen with the sync'd data. +sync and password folks to take a look and see if the described behaviour is as expected.

Comment 2 by zea@chromium.org, Apr 3 2017

Components: Services>SignIn

Comment 3 by wfh@chromium.org, Apr 3 2017

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
Once an attacker has physical access to a system they could do anything they wanted including but not limited to installing malware/spyware, copying/decrypting the Chrome data files (including passwords). Chrome makes no security guarantees for multiple profiles operating under the same OS user account.

The protection here is to set a strong password on your OS user account, always lock your computer when you are away from it, use full disk encryption, and power off your machine when not using it.

See https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- for more details.

Comment 4 by vabr@chromium.org, Apr 4 2017

Cc: -vabr@chromium.org
Agreed with #1 and #3. As long as the snapshot happens because of a malicious intent, the advice from #3 is the best we can give to the affected user.

There also have been cases when users did such snapshot unintentionally (reusing the same Chrome profile for multiple Chrome sign-ins due to confusion between content-area and browser-area sign-in). I believe the Sign-In team reacted by providing a clearer separation between those two flows.

Sign in to add a comment