Issue metadata
Sign in to add a comment
|
Autofill Passwords Unencrypted in Memory of Chrome Rendering Processes
Reported by
marsolle...@gmail.com,
Jul 27 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Steps to reproduce the problem: 1. Arbitrary Memory Viewer plugged into PID of Tab 2. Search for (unencrypted, also!) Emails in SQLite database profile on Hard Disk 3. Find, mostly seperated by singular bytes, Passwords near very searchable, for a Malware, Emails which require no password authentication but simple Code Execution to obtain What is the expected behavior? 1. Encrypted Passwords in RAM, decrypted, only on Autofill, for a very short time, then free of memory 2. SQLite database completely encrypted, also Emails, URLs also, detection could be done via MD5 Hash of URL What went wrong? Unencrypted Passwords were found in Chrome Tab Rendering Process Memory; SQLite Database with Emails and Passwords also unprotected from Malware, explicitly unencrypted (of course, passwords in SQLite are encrypted, but as formerly said - references between unencrypted SQLite data, accessible by Malware, and unencrypted passwords in Chrome Memory can easily be made) Did this work before? N/A Chrome version: 59.0.3071.115 Channel: stable OS Version: 6.3 Flash Version: Would like to suggest Runtime Encryption of some sort.
,
Jul 27 2017
A browser cannot protect data when it is running on a compromised PC. A browser cannot protect data in the face of an attacker's unrestricted physical (or logical) access to a PC. Details: https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- https://dev.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools- https://technet.microsoft.com/en-us/library/hh278941.aspx
,
Jul 28 2017
Browser extensions can be prevented from reading input[type=password] fields. The browser can, very well, encrypt the password in memory and only decrypt in while use.
,
Jul 28 2017
Browser extensions can be prevented from reading input[type=password] fields, explicitly after Autofill - Chrome knowns well Autofilled; Simple Information Flow Tracking task.
,
Jul 28 2017
> Browser extensions can be prevented from reading > input[type=password] fields. Re #3: Preventing a browser extension from reading INPUT TYPE=PASSWORD fields wouldn't be effective, as a browser extension with the permission to do so would also have the permission necessary to inject JavaScript on the page. JavaScript in the page inherently may exfiltrate data from the DOM, including the value of any input field, via myriad of vectors. When users grant powerful permissions to extensions, those extensions become powerful. >The browser can, very well, encrypt the password in memory and >only decrypt in while use. It's true that the browser could keep an encrypted password in memory, and decrypt it only when added to the DOM, at which point it would be copied to JavaScript, network requests, etc. However, unfortunately keeping the password encrypted in memory is not very useful, as the decryption key would itself also be in memory. An attacker with the ability to steal the unencrypted credentials in memory today would also have the ability, were such an encryption scheme introduced, to steal both the encrypted credentials and their decryption key, rendering the protection moot.
,
Jul 28 2017
Issue 750192 has been merged into this issue.
,
Jul 28 2017
,
Jul 29 2017
>Re #3: Preventing a browser extension from reading INPUT TYPE=PASSWORD fields wouldn't >be effective, as a browser extension with the permission to do so would also have the >permission necessary to inject JavaScript on the page. JavaScript in the page >inherently may exfiltrate data from the DOM, including the value of any input field, >via myriad of vectors. When users grant powerful permissions to extensions, those >extensions become powerful. There is websites who abuse popups, fullscreen mode, Javasscript and combination of PDF and <object> type internal JS DOMs to explicitly force users to only be able to shut down the computer loosing all of their work, or to klick on Install of the CRX iN Chrome. I am quite sure the most powerful security team on earth, at Google, has already seen such sites. > It's true that the browser could keep an encrypted password in memory, and decrypt it > only when added to the DOM, at which point it would be copied to JavaScript, network > requests, etc. > However, unfortunately keeping the password encrypted in memory is not very useful, > as the decryption key would itself also be in memory. An attacker with the ability to > >steal the unencrypted credentials in memory today would also have the ability, were > such an encryption scheme introduced, to steal both the encrypted credentials and their > decryption key, rendering the protection moot. I am very confident that you aware of process protection procedures, such as used in Counter-Forensics or Game Cheating Protection. I am also quite sure you aware of non-full decryption keys in RAM, having to be brute-forced a little bit, as in a few bits of it, which be done in few milliseconds. I agree with you the latter would be pretty stupid, while plugs into the process could be easily detected, and rather than demotivating security researchers you could at least pretend to do something. THANKS. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by marsolle...@gmail.com
, Jul 27 2017Passwords can be accessed by Chrome Extensions having access to the JS DOM (any Chrome extension) and also, disregarding any theoretical or very practical malware - Any co-worker who can access your computer when you're at lunch can read your passwords with one line of simple JS or access to a Mouse with a Right click: console.log(document.getElementById("pw").value)229 KB
229 KB View Download