VULNERABILITY DETAILS
Chrome (and Chrome based browsers) are allowing password keystrokes to be broadcast to the rest of the system. This seems to be a regression as I'm finding evidence that this wasn't the case prior and that secure input was being enabled (https://bugs.chromium.org/p/chromium/issues/detail?id=46921).

VERSION
Chrome Version : 57.0.2987.133 (64-bit) [stable]
Operating System : Mac OS X 10.12.4 (16E195)

REPRODUCTION CASE

I've attached a really simple HTML file that includes two fields, a text field and a password field. When typing in a secure text field (password field) on OS X, the expectation is that EnableSecureEventInput() will be called so that key presses are not sent to the event tap that any process can listen to.

What I'm seeing is that when typing in either fields, the key presses are making their way to the tap. This can be demonstrated by using the BlockPass app available here: https://github.com/danielpunkass/Blockpass

Using this app, you can set a string that it will watch for. Specifically you can give it the prefix to your password and it will alert you when you start typing it in a way that allows other processes to see it. 

That it can detect that I'm typing my password indicates that Chrome is not enabling Secure Event Input. 
 

Deleted: SecureInput.html 190 bytes

SecureInput.html 190 bytes View Download