UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

Steps to reproduce the problem:
When using Chrome to configure router with a popular LuCI configuration tool, Chrome arbitrarily changes wireless PSK to the router password. This is bad, as wireless access is lost, and the server gets password in an unecrypted form.

1. Login to any router with LuCI configuration interface
2. Remember password
3. Go to Network -> Wifi -> radio0
4. Check that the mode is WPA2-PSK and there is a Key dialog.
4. Press Save and Apply

Note that I have auto-login enabled in Chrome password settings.

What is the expected behavior?
Chrome will keep PSK key as it is, especially if user does not touch it. It should not attempt to auto pre-fill the router password as a wireless PSK automatically, even if PSK is empty / not yet set.

What went wrong?
After these steps, Chrome changes Key (WPA2-PSK) from the original value to a password used in the login dialog. It happens even if I skip 4., i. e. Key input field remains hidden.

It means, that e. g. channel change will cause PSK change.

Did this work before? N/A 

Chrome version: 60.0.3112.90  Channel: stable
OS Version: openSUSE Leap 42.3
Flash Version: 

In the case of LuCI, this Chrome behavior has an implication of denial of wireless service of the router. But with other pages, this behavior (i. e. automatic filling of the main password, even to hidden input fields) can have bad security implications. Hacker can just add a hidden field and get passwords in unencrypted form, even if server itself does not store them.

When I remove stored password, the problem disappears.

Login and wireless setup pages have different URL on the same server.

Files in the attachment were saved after removing of the stored password. Sensitive data were replaced by stubs.
 

Deleted: LuCI_pages.zip 34.4 KB

LuCI_pages.zip 34.4 KB Download