Issue metadata
Sign in to add a comment
|
Security: View saved passwords on chrome without windows session password
Reported by
diegoohs...@gmail.com,
Jul 19 2017
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Able to steal other chrome's saved usernames and passwords without the windows user password. VERSION Chrome Version: 59.0.3071.115 Stable Operating System: Observed on Windows 7 Ultimate 64 bits service pack 1 and windows 10 Home 64 bits REPRODUCTION CASE The computer from we are stealing the usernames and passwords saved on chrome is showed as PC2 on screenshots taken. And the computer where I created the blank google account and later show the stolen password. On PC2 there is no google user logged to the browser and it has passwords saved in it, like most computers I have seen. When go to password manager I need to have the password of the windows user logged in to see the passwords saved. On PC2 I log in to the browser session using the test user created, by default it synchronizes everything. After a couple seconds syncing I log that user user out. Shows no (simple) trace of that user logged in the computer. After that I go and log that google account in PC1 and automatically downloads all the usernames, passwords and even favorite websites to my computer, with the difference that when go to password manager the password that unlocks all the info is the windows password from the current computer, PC1. If needed I can give you a video about it.
,
Sep 2 2017
Issue 761603 has been merged into this issue.
,
Oct 26 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jul 19 2017Status: WontFix (was: Unconfirmed)
Summary: Security: View saved passwords on chrome without windows session password (was: Security: Watch saved passwords on chrome without windows session password)