Issue metadata
Sign in to add a comment
|
Security: Display ALL Chrome passwords in plain text, bypassing the advanced settings panel and any password protection entirely.
Reported by
alexle...@gmail.com,
May 11 2017
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS I am able to display all website passwords for ALL remembered sites in chrome; bybassing the entire protected password section in advanced settings. VERSION ALL versions and OS's REPRODUCTION CASE This is an extremely simple 'hack' and yet in my opinion opens up a serious vulnerability for anyone with access to chrome on someones machine to find all passwords for websites. The process is simply to open up the HTML inspector for any login page that has been remembered. Then find the password field and change the type="password" to type="text". That's it! The password field then immediately displays the password in plain text. The simple fix is to prevent any changes being made to password type field when in the inspector. I hope this is of help as I consider this a major security issue! Thanks for everything guys, happy I can give something back! FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION NA
,
May 11 2017
Developer tools is meant for debugging purposes and you can change any page html to your liking. Any remote attacker can't use this to steal your information or show your passwords in cleartext for others to eavesdrop.
,
May 11 2017
May i ask then, What is the point of password protecting the advanced settings password manager when all are available through the side entrance? Also i believe this approach will also reveal password manager passwords as well as chrome passwords once autofilled! Whilst this doesnt work remotely, i can think of Many Ways to use this technique to get at important passwords in many environments such as office situations as well as family situations etc. There are also many occassions when people are briefly given access to another machine and that would be enough time to find sensitive info. It takes me less time to do this than to use the authentic method of using the settings. .. around 20 seconds is more than enough! It seems odd to permit this when a fix to disable password field mod would be quite simple...
,
May 11 2017
See https://dev.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools- for more details. We get this reported about once a week; feel free to discuss this with whomever you like.
,
May 11 2017
To address your specific concern about developer tools, the answer is that making your change would not be sufficient to add any real security, since there are so many other ways to extract the same information. |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by alexle...@gmail.com
, May 11 2017