Issue metadata
Sign in to add a comment
|
Password manager fills old password when changing to new password
Reported by
sabyasac...@gmail.com,
Sep 19 2017
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Steps to reproduce the problem: The change password functionality is not checking for old password while setting up the new password, the old password is getting populated by default in the password box. This is happening when I saved the password, but my understanding is it should work only for the login page and not for the change password functionality. Why I am saying this; 1. To protect the password manager we have system domain password. So that in case your device is shared no one can still all the password stored in the browser. 2. If change password will auto fill the old password, then malicious user will be able to change the password successfully, when the device is shared and user is logged in in the application. 3. And many application has option to add secodary mail id, and then send security notices secondary mail id without user notice. In that case malicious user can provide his mail id as secondary mail address, in that he will have full control over the account in future. As he will get all the details in the secondary mail id (like password reset link). What is the expected behavior? In my opinion when we save password it should not get populated in change password functionality, else browser should ask that domain password when user is changing the old password. It is impacting all the application, so go to have a fix from browser side rather having the fix from application side. For the demo I have used linkedin application, refer the attahed video. What went wrong? Malicious user can take complete control of victims application. Did this work before? No Chrome version: 60.0.3112.113 Channel: n/a OS Version: 10.0 Flash Version:
,
Sep 20 2017
Yes we can do this using inspect element. But my point is if you keep the system more open (having password at multiple place) then application will be more vulnerable. Consider a scenario we don't have auto fill password in change password function -------------------------------------------------------------------------------- The victim is sign-in to the application and went for a coffee keeping the system unlock. In that case if malicious get the system he can't play around with the inspect element because victim is already sign-in to the application. The only this attacker can do take the session ids, in that case it will only impact that particular session. Consider a scenario having auto fill password in change password function ------------------------------------------------------------------------- In this case attacker can use the inspect element as well as change the password to take control of password and complete account. This is a security issue and not a functional bug. I checked the same behavior in other browser, IE don't fill the auto fill password in change password functionality and Mozilla ask for master password when you navigate to change password and then auto fill the old password. Thanks, Sabya
,
Sep 20 2017
> In that case if malicious get the system he can't play around with the > inspect element because victim is already sign-in to the application. The obvious attack would be to simply sign out of the application, steal the password, and log back in. The slightly less obvious attack is to use the JavaScript console to create a password form, inject it into the page, and then steal the credentials.
,
Sep 20 2017
Incidentally, Firefox 55 autofills the user's existing password when visiting either of these pages https://twitter.com/settings/password and https://twitter.com/settings/your_twitter_data. Internet Explorer's behavior isn't a deliberate design decision, it's an artifact of the fact that the password manager is extremely limited: https://blogs.msdn.microsoft.com/ieinternals/2009/09/10/why-wont-ie-remember-my-login-info/
,
Sep 20 2017
The obvious attack would be to simply sign out of the application, steal the password, and log back in. The slightly less obvious attack is to use the JavaScript console to create a password form, inject it into the page, and then steal the credentials. Totally agreed with the above statement, can you help me to understand then why we we are protecting saved password with domain password? Is it a false sense of security? Thanks, Sabya
,
Sep 20 2017
Totally agreed with your point, going by your word I feel the domain password which the browser ask when user try to see any password from manage password list is a false sense of security. There is no use of that. In ideal case the domain password prompt should come when use access the manage password to see the stored password list (basically the application name). In that way at least we can make it one level difficult for the attacker and he has to guess the application name, with some limited time frame. But currently the browser is asking password when user try to see the password in the manage password, which is of no use. Thanks, Sabya
,
Sep 20 2017
Re #5 and #6: You're correct in noting that the prompt for the device credentials to reveal the password is not actually a security boundary. A meaningful number of users requested this feature nevertheless, and thus it was implemented on some (but not all) Chrome platforms.
,
Sep 21 2017
Do you feel, if we authenticate the user (with domain password) before disclosing the complete list of stored application password/website name has some value rather authenticating the user in display password event. I feel it will be more challenging for the attacker to guess the website name and try the attack. Now it is straight forward as you mention, see the list and browse the application fetch the password from inspect element and close the browser.
,
Sep 28 2017
Any updates on the last thought?
,
Sep 28 2017
It would certainly be ever-so-slightly more private to require the user to authenticate before seeing the list of passwords. Of course, most casual attackers are interested in the credentials for a specific site (and thus they'll just try it) and most serious attackers will simply dump the credential list directly from storage instead of bothering with the built-in viewer. |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 19 2017Status: WontFix (was: Unconfirmed)
Summary: Password manager fills old password when changing to new password (was: Security Issue in Password Manage)