New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 764814 link

Starred by 2 users
Status: WontFix
Owner:
vabr@chromium.org
hobby only
Closed: Oct 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Feature



Sign in to add a comment

There are a problem for user who is using their all social media account from this browser.

Reported by goyal...@gmail.com, Sep 13 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Steps to reproduce the problem:
1. When someone using his system and using some social media account or any account.
2. If he left his system for some time anyone can click on "save password "button and can see his password by using see password in settings.
3. 

What is the expected behavior?

What went wrong?
No one user password safe using browser is he always login gmail or social media account because if he left his system on for some minute any cracker can click on save password button and can get his password from setting "show password". 

Did this work before? N/A 

Chrome version: 60.0.3112.113  Channel: n/a
OS Version: 10.0
Flash Version: 

Please go to this problem and solve it as soon as possible. Because it an be dangerous for people's account credentials.

Comment 1 by ligim...@chromium.org, Sep 13 2017

Components: -UI UI>Browser>Passwords
Labels: -Type-Bug Type-Feature

Comment 2 by susanjuniab@chromium.org, Sep 14 2017

Labels: Needs-Triage-M60 M-63 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Marking this as Untriaged, as this is a feature request.

Thanka..

Comment 3 by vabr@chromium.org, Oct 18 2017

Owner: vabr@chromium.org
Status: Assigned (was: Untriaged)
This is my understanding of the scenario:

An attacker comes to the user's machine when the user is away and switches saving passwords on. Then the user comes back and logs into a website and ignores Chrome's offer to save. Then the attacker comes back, accepts the prompt and uses chrome://settings/passwords to view the passwords.

This is an interesting scenario in that it affects users who do not want to use the password manager on the particular site. It seems to me that there is no way the user can stop using the password manager for the particular site -- even if they click Never in the bubble, Chrome will still have it ready after clicking the key icon.

Having said that, if there are other people around to mess with the user's computer, the user should definitely use a screen lock to protect their whole OS session. This is also why this concrete issue is not considered a security threat [1].

The user can also disable saving passwords on chrome://settings/passwords altogether, for all sites. That will make it impossible to cause Chrome save passwords typed earlier.

I'll bring this up in a team meeting soon and update this bug with the result.


[1] https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

Comment 4 by vabr@chromium.org, Oct 20 2017

Status: WontFix (was: Assigned)
An update after a team discussion:

The user has a number of protections to use in this case:
(1) First and foremost: a screen lock. (Plus, on public computers, the user might consider disabling the password manager completely if they are not using it.)
(2) Second: The privacy shield of reauthentication on chrome://settings/passwords
(3) Restrictions on password visibility through the bubble (not possible to view the password after 90 seconds if the bubble has been closed, unless Chrome fails to detect the successful login).

While there are still edge cases when the reported scenario might happen, those are less likely than situations where the user needs Chrome's assistance in saving the password. Therefore the current behaviour should stay.

Sign in to add a comment