Regression: Password is visible on clicking eye icon without any security attempt
Reported by
nutan.ga...@etouch.net,
Sep 25 2017
|
|||||||||||||
Issue descriptionChrome Version: 63.0.3223.0 569732c0a96ec8d0c4c5df7f7012188696c7d37c-refs/heads/master@{#503964} Os: Windows (7,8,8.1,10), Mac OS X(10.12.6), Linux (14.04 LTS) Step to Reproduce? 1. Launch Chrome, navigate to www.gmail.com and login with valid credentials 2. Click on eye icon on password bubble and observe Actual: Password is visible on clicking eye icon without any security attempt Expected: Password should not be visible after directly clicking on eye icon This is an Regression issue broken in M-63, will soon update the bisect info Good Build: 63.0.3222.0 Bad Build:63.0.3223.0 Note: Mac version 10.12.6, After step 1, nothing happens when click on eye icon on password bubble
,
Sep 25 2017
Using the per-revision bisect providing the bisect results, Good Build: 63.0.3222.0 Bad Build: 63.0.3223.0 You are probably looking for a change made after 503720 (known good), but no lat er than 503721 (first known bad). CHANGELOG URL: The script might not always return single CL as suspect as some perf builds migh t get missing due to failure. https://chromium.googlesource.com/chromium/src/+log/b9b071354e64f5f338de6893de f6d9d5ae14c110..79a0cd8c97666817afc1de8f5a9836610562f0c3 From the CL above, assigning the issue to the concern owner @Irmak- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Suspect - https://chromium.googlesource.com/chromium/src/+/79a0cd8c97666817afc1de8f5a9836610562f0c3 Thanks!
,
Sep 25 2017
,
Sep 25 2017
Hi! The eye icon is a part of Password Selection Feature of the password manager. It was recently enabled by default. The mac implementation is not complete, so the eye icon doesn't work there but the feature wasn't enabled for mac platform so I am surprised, I will check that out. Vasilii is OOO this week. Can you please cc battre@? The initial plan didnt include a verification upon clicking the eye icon, thats why it didnt happen, but probably that can be the be step.
,
Sep 25 2017
I would suggest the following behavior: For 90 seconds after typing the password or 90 seconds after the for submission, the password can be revealed in the save/update bubble via the eye icon and without any reauthentication. After that, the eye icon is not shown anymore. The eye icon is never offered in the manage passwords bubble. Max, do you agree with this suggestion?
,
Sep 25 2017
Fyi: the eye icon is there mainly for the password selection dropdown (appears in password change forms etc), so that user can see what they are selecting from the password dropdown. Please take this into consideration if we are going to remove the eye icon after a time, since removing will limit the dropdown functionality a lot.
,
Sep 25 2017
Proposed behavior after discussing more offline: the password can be revealed via the eye icon. After 90s revealing the password(s) is still possible but requires reauth (like in Settings > Passwords).
,
Sep 25 2017
Adding RB Label as this is a recent Regression. Please remove if not required. Thank You.
,
Sep 26 2017
,
Oct 5 2017
Friendly ping for an update on this issue marked as Blocker.
,
Oct 5 2017
We discussed it and designed an algorithm described in Issue 768742 . Basically, we shouldn't allow to view the password if the bubble was opened manually after the successful login.
,
Oct 11 2017
Thanks for the update. M63 is branching soon, we will be taking only critical merges. It would be great to have a fix ASAP.
,
Oct 12 2017
It's already fixed on all the platforms but Mac.
,
Oct 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e2decb889622a1178c46f1b9f9029b969525414b commit e2decb889622a1178c46f1b9f9029b969525414b Author: Vasilii Sukhanov <vasilii@chromium.org> Date: Thu Oct 12 11:59:05 2017 Hide the eye icon in the password bubble on Mac when required. The algorithm is listed in https://bugs.chromium.org/p/chromium/issues/detail?id=768742#c14 Bug: 768306 , 768742 Change-Id: I137a95262ed9a328959aba61438094083364da84 Reviewed-on: https://chromium-review.googlesource.com/715739 Reviewed-by: Tatiana Gornak <melandory@chromium.org> Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org> Cr-Commit-Position: refs/heads/master@{#508317} [modify] https://crrev.com/e2decb889622a1178c46f1b9f9029b969525414b/chrome/browser/ui/cocoa/passwords/save_pending_password_view_controller.mm
,
Oct 12 2017
,
Oct 12 2017
[Auto-generated comment by a script] We noticed that this issue is targeted for M-63; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-63 label, otherwise remove Merge-TBD label. Thanks.
,
Oct 13 2017
Retested the above issue on latest Canary #63.0.3239.0 on Windows (7,8,8.1,10),Linux (14.04 LTS),Mac OS X(10.12.6) and fix is working as intended. Kindly refer the attached video
,
Oct 13 2017
M63 (branch #3239) is branched at chromium revision 508578. So cl listed at #14 is already in M63. |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by nutan.ga...@etouch.net
, Sep 25 2017254 KB
254 KB View Download
225 KB
225 KB View Download