This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
I'm rocking the lastest version of Google Chrome and I've always found convenient the fact that Chrome automatically stores  "securely" your passwords in your Google account.

What I didn't know is that Google Chrome doesn't securely encrypt your passwords when it stores them in your computer.
How did I found out? Well, I've always liked, for some reason, to use multiple web browsers.
Currently, I have installed Chrome, FireFox and Edge in my computer.

Well, today I installed the latest version of the Opera Browser.
As always, when you install a new browser, the first time you run it, it always asks you to set it as your default browser and to import your data. However, I always click "No" for both and if there's a "never ask again" option, I always use it.

For my surprise, after I installed Opera and started to customize it... I went to www.google.com
And guess what?
Opera was already signed into my Google account. I was like what the heck? How? I've never used this browser before.

Then I opened the Opera browser settings and went to the password manager... And yeah, Opera already had ALL THE PASSWORDS that I had stored in my Google Chrome browser.

So just a warning, don't trust Google Chrome to "securely" store passwords.
If the Opera Browser got all the passwords and even the active sessions that easily from Google Chrome, then any program and trojan can do the same.
VERSION
Chrome Version: [58.0.3029.81] + [stable]
Operating System: Windows 10 - Build 1607 (64-bit)

REPRODUCTION CASE
I installed both (Chrome first) in a different Laptop (never used Chrome/Opera this Laptop) and it happened again.
This time, I didn't use Chrome sign-in option.
I just went to reddit, logged in and saved the password in Chrome and closed Chrome.
Then I installed Opera and when it finished, went to reddit...
It was logged in already (active session) with the same account I logged in with in Chrome.
Checked Opera saved passwords in settings and there it was...


I reported this issue for the first time in the Chrome forums because I didn't know about this reward program. Hopefully that Matti guy hasn't reported it before me because I'm the one who found this. Proof here: :

https://productforums.google.com/forum/#!topic/chrome/l2S8pRqdqnI;context-place=mydiscussions