VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.
VERSION
Chrome Version: 60.0.3112.101 + [stable]
Operating System: [Windows, 7, and service pack 1] & applicable for almost all chrome browsers
REPRODUCTION CASE
If somebody wants to view saved passwords in google chrome browser. There are two ways to do it.
1. Go to chrome://settings/passwords, view details link beside the website you want to look the password for, click eye like button on password on popup and it will ask for computer password and when entering the computer password we will be able to see the password.
2. we can go to passwords.google.com and view password.
in both above cases it requires some level of authorization.
3rd way to do that is by going to the console in chrome developer tools and typing "document.getElementById('id').value" or "document.getElementsByClassName('class')[0].value"(for google login) and document.getElementsByName('name')[0].value in console window. Here 'id', 'class' and 'name' indicated id class and name of the respective input html element.
By this approach all computer users irrespective of the authorization can see the passwords saved in the account.
I am also adding images it it helps.
Thank you,
Viswanath
|
Deleted:
3rd_way_view_password_without_authentication.png
42.4 KB
|
|
|
3rd_way_view_password_without_authentication.png
42.4 KB
View
Download
|
|
|
|
Deleted:
asking_for_authentication_when_trying_to_view_password.png
57.3 KB
|
|
|
asking_for_authentication_when_trying_to_view_password.png
57.3 KB
View
Download
|
|
|
|
Deleted:
passwords_screen_in _settings.png
11.3 KB
|
|
|
Deleted:
view_password_screen_for_website_selected.png
14.7 KB
|
|
|
view_password_screen_for_website_selected.png
14.7 KB
View
Download
|
|
Comment 1 by elawrence@chromium.org
, Aug 22 2017Status: Duplicate (was: Unconfirmed)