New issue
Advanced search Search tips

Issue 726309 link

Starred by 1 user
Status: Duplicate
Merged: issue 681791
Owner: ----
Closed: May 2017
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

autofill password steal by javascript after click

Reported by vuln...@gmail.com, May 25 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36

Steps to reproduce the problem:
1. Build a login page test.html   just like this 
<html>
<head>
<title>login</title>
</head>
<body>
<div style="text-align: center;">
<form Method="POST" Action="http://localhost/login.php" id="form1" Name="form">
<br/>Login:<br/>
<input id="username" name="username"/>
<br/>Password:<br/>

<input type="password" id="password" name="password"/> <br />
<br />
<input name="Valid" value="Ok" type="submit" /><br />
</form></div>
</body>
</html>

2. make the login.php return code 200,then try to login and save the password
3.add script to test.html
<script >
alert(document.getElementById('username').value+'\n'+document.getElementById('password').value)
 window.onclick=function(){
	alert(document.getElementById('username').value+'\n'+document.getElementById('password').value)
}
</script>
3. the first alert can't get anything but when you click on the white place alert will get username and password

What is the expected behavior?
javascript should not get autofill password value unless the login button been clicked

What went wrong?
at first ,js can't get the password value for security (is it?),but after a click on the blank ,js can get autofill password

then password maybe steal by xss or some attck work with js

not good at english, sorry

Did this work before? N/A 

Chrome version: 58.0.3029.81  Channel: n/a
OS Version: OS X 10.12.5
Flash Version: Shockwave Flash 25.0 r0

Comment 1 by elawrence@chromium.org, May 25 2017

Mergedinto: 681791
Status: Duplicate (was: Unconfirmed)
Summary: autofill password steal by javascript after click (was: autofill password steal by javascript)
This is expected behavior; JavaScript is expected to be able to read password fields and XSS Attacks are inherently powerful. 

The PasswordValueGatekeeper class in Chrome requires that the user interact with the page *in some way* (in your case, the "click on the blank") to unlock visibility of the password to JavaScript. This serves only as a mitigation against an automated UXSS "scan" of the user's password fields, but not as a mitigation against theft of a single password after a click.
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 31 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment