New issue
Advanced search Search tips

Issue 732159 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
ew...@chromium.org
est...@chromium.org
vasi...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Easily hijacking passwords from Chrome

Reported by slavo...@gmail.com, Jun 11 2017 
Dear Google,
 today around 15:00 p.m Paris Timezone

I found a security bug in chrome with my phone!

With a little bit of social engineering and lots of EVILNESS people could get their password stolen if the hijacker gets a physical contact with the phone.

If you go to Chrome -> Save Passwords -> passwords.google.com
Then forgotten password -> choose the google prompt -> hit yes -> and then type the password he would like
The account is high jacked![1 minute] event less

Then he has the account and see all of the passwords saved to the account and steal it!

we could automate the process with a rubber ducky or an app and it will get even worse!

Me personally i have my host-monster account password there is unbreakable but somebody could mess my website big time if he knew about this bug

or PayPal... You Get It!

Happy Coding and Hear form you soon :) 

Best Regards, 
SLAVOV Kostadin

Comment 1 by elawrence@chromium.org, Jun 12 2017

Summary: Security: Easily hijacking passwords from Chrome (was: Security: Easily highjacking someones passwords from Chrome [Facebook, PayPal, Hostmonster ])
Generally speaking, attacks that require physical access are out-of-scope: https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

However, I'm not sure I understand the scenario as described here. Could you possibly include screenshots of the steps you're taking?

Comment 2 by est...@chromium.org, Jun 13 2017

Labels: Needs-Feedback

Comment 3 Deleted

Comment 4 by slavo...@gmail.com, Jun 13 2017 

If you get anyone's phone and visit passwords.google.com you could hijack an account pretty easyly and then get all of his saved passwords

Comment 5 by slavo...@gmail.com, Jun 13 2017

IMG_20170612_195444.jpg
52.0 KB View Download
Screenshot_2017-06-12-19-52-37.png
83.6 KB View Download
Screenshot_2017-06-12-19-52-43.png
54.3 KB View Download
Screenshot_2017-06-12-19-52-47.png
84.2 KB View Download
Screenshot_2017-06-12-19-59-21.png
105 KB View Download
Project Member

Comment 6 by sheriffbot@chromium.org, Jun 13 2017

Cc: est...@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "estark@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by est...@chromium.org, Jun 14 2017

Cc: vabr@chromium.org ew...@chromium.org

Comment 8 by vabr@chromium.org, Jun 14 2017

Cc: vasi...@chromium.org
Status: WontFix (was: Unconfirmed)
Thanks for the report.

If the attacker has access to the unlocked phone, there are a number of ways they can get the passwords stored in Chrome. Going through account recovery is not the easiest of them, and will leave more traces than others. Comment #1 here is correct to point out that Chrome cannot and does not pretend to defend against an attacker with local access. Therefore I am closing this report.
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 20 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by vabr@chromium.org, Nov 29

Cc: -vabr@chromium.org

Sign in to add a comment