New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 746136 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Jul 2017
Cc:
mastiz@chromium.org
tschumann@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: View saved passwords on chrome without windows session password

Reported by diegoohs...@gmail.com, Jul 19 2017 
VULNERABILITY DETAILS
Able to steal other chrome's saved usernames and passwords without the windows user password.

VERSION
Chrome Version: 59.0.3071.115 Stable
Operating System: Observed on Windows 7 Ultimate 64 bits service pack 1 and windows 10 Home 64 bits

REPRODUCTION CASE
The computer from we are stealing the usernames and passwords saved on chrome is showed as PC2 on screenshots taken. And the computer where I created the blank google account and later show the stolen password.
On PC2 there is no google user logged to the browser and it has passwords saved in it, like most computers I have seen. When go to password manager I need to have the password of the windows user logged in to see the passwords saved. On PC2 I log in to the browser session using the test user created, by default it synchronizes everything. After a couple seconds syncing I log that user user out. Shows no (simple) trace of that user logged in the computer. After that I go and log that google account in PC1 and automatically downloads all the usernames, passwords and even favorite websites to my computer, with the difference that when go to password manager the password that unlocks all the info is the windows password from the current computer, PC1.

If needed I can give you a video about it.
test1.rar
2.3 MB Download

Comment 1 by elawrence@chromium.org, Jul 19 2017

Components: UI>Browser>Passwords Services>Sync
Status: WontFix (was: Unconfirmed)
Summary: Security: View saved passwords on chrome without windows session password (was: Security: Watch saved passwords on chrome without windows session password)
The "Prompt for the current Windows account password" feature is intended as a minor speedbump for the password manager feature; there are a number of ways it can be circumvented, and it's not present at all on some versions of Chrome (e.g. Linux and ChromeOS).

When given unrestricted physical access to a user's PC, there are numerous mechanisms for obtaining the user's stored passwords as discussed here: https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

In this version, the attacker uses Sync to egress the victim's passwords to their own account in the cloud, then simply views the passwords on a different computer at their leisure. The attacker need not even bother using the password manager to view the passwords-- they can simply browse to any site of interest and the passwords will autofill.

Comment 2 by elawrence@chromium.org, Sep 2 2017 

 Issue 761603  has been merged into this issue.
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 26 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment