New issue
Advanced search Search tips

Issue 769237 link

Starred by 1 user
Status: Duplicate
Merged: issue 768742
Owner: ----
Closed: Oct 2017
Cc:
battre@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug

Blocking:
issue 753806



Sign in to add a comment

[Password Manager] Don't reveal password in prompt if the password was autofilled

Project Member Reported by kolos@chromium.org, Sep 27 2017 
1) An attacker may visit a site
2) The password will be autofilled.
3) The attacker changes the username value. The fallback for saving becomes available.
4) The attacker reveals the autofilled password in the prompt.

Comment 1 by kolos@chromium.org, Sep 27 2017

Blocking: 753806

Comment 2 by kolos@chromium.org, Sep 27 2017

Description: Show this description

Comment 3 by kolos@chromium.org, Sep 27 2017

Description: Show this description

Comment 4 by kolos@chromium.org, Sep 27 2017

Description: Show this description

Comment 5 by kolos@chromium.org, Sep 27 2017

Description: Show this description

Comment 6 by kolos@chromium.org, Sep 27 2017

Description: Show this description

Comment 7 by kolos@chromium.org, Oct 6 2017

Mergedinto: 768742
Status: Duplicate (was: Available)
Merging  Issue 769237  and  Issue 768742  into one.
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 9 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/faf1e85261c09fe27c7168fb753d319ff7763d4b

commit faf1e85261c09fe27c7168fb753d319ff7763d4b
Author: Maxim Kolosovskiy <kolos@chromium.org>
Date: Mon Oct 09 10:54:30 2017

[Password Manager] Add flag whether |PasswordForm.all_possible_passwords| include autofilled value or its part

If any password field has autofilled value or its part, Chrome should request reauth when a user clicks the eye icon to reveal password(s).

Bug:  769237 ,  768742 
Change-Id: If38f87a97dbe794f454996d58ce0371d61fd82e0
Reviewed-on: https://chromium-review.googlesource.com/700457
Commit-Queue: Maxim Kolosovskiy <kolos@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Vadym Doroshenko <dvadym@chromium.org>
Cr-Commit-Position: refs/heads/master@{#507349}
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/autofill/content/common/autofill_param_traits_macros.h
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/autofill/content/common/autofill_types.mojom
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/autofill/content/common/autofill_types_struct_traits.cc
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/autofill/content/common/autofill_types_struct_traits.h
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/autofill/content/common/autofill_types_struct_traits_unittest.cc
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/autofill/content/renderer/password_autofill_agent.cc
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/autofill/content/renderer/password_form_conversion_utils.cc
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/autofill/content/renderer/password_form_conversion_utils_browsertest.cc
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/autofill/core/common/password_form.cc
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/autofill/core/common/password_form.h
[modify] https://crrev.com/faf1e85261c09fe27c7168fb753d319ff7763d4b/components/password_manager/core/browser/password_form_manager.cc
Project Member

Comment 9 by bugdroid1@chromium.org, Oct 9 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8a6beb7ab5262f4566462d06db1dcaa00bb4522e

commit 8a6beb7ab5262f4566462d06db1dcaa00bb4522e
Author: Maxim Kolosovskiy <kolos@chromium.org>
Date: Mon Oct 09 20:14:46 2017

[Password Manager] Hide the eye icon in a prompt for privacy reasons in some cases

Based on https://bugs.chromium.org/p/chromium/issues/detail?id=768742#c14, 
* manual fallback should have the eye icon iff the form doesn't contain autofilled value or its part.
* automatic prompt should have the eye icon iff the bubble is shown first time (i.e. right after submission). If the bubble was closed and re-opened again, the eye shouldn't be available.

In further CL, re-authentication will be implemented instead of icon hiding. 

Bug:  769237 ,  768742 
Change-Id: I12ec0b3fa9bc3fa0c42fd47323dabdc04726ae91
Reviewed-on: https://chromium-review.googlesource.com/704642
Commit-Queue: Maxim Kolosovskiy <kolos@chromium.org>
Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#507466}
[modify] https://crrev.com/8a6beb7ab5262f4566462d06db1dcaa00bb4522e/chrome/browser/ui/passwords/manage_passwords_bubble_model.cc
[modify] https://crrev.com/8a6beb7ab5262f4566462d06db1dcaa00bb4522e/chrome/browser/ui/passwords/manage_passwords_bubble_model.h
[modify] https://crrev.com/8a6beb7ab5262f4566462d06db1dcaa00bb4522e/chrome/browser/ui/passwords/manage_passwords_bubble_model_unittest.cc
[modify] https://crrev.com/8a6beb7ab5262f4566462d06db1dcaa00bb4522e/chrome/browser/ui/passwords/manage_passwords_ui_controller.cc
[modify] https://crrev.com/8a6beb7ab5262f4566462d06db1dcaa00bb4522e/chrome/browser/ui/passwords/manage_passwords_ui_controller.h
[modify] https://crrev.com/8a6beb7ab5262f4566462d06db1dcaa00bb4522e/chrome/browser/ui/passwords/passwords_model_delegate.h
[modify] https://crrev.com/8a6beb7ab5262f4566462d06db1dcaa00bb4522e/chrome/browser/ui/passwords/passwords_model_delegate_mock.h
[modify] https://crrev.com/8a6beb7ab5262f4566462d06db1dcaa00bb4522e/chrome/browser/ui/views/passwords/manage_passwords_bubble_view.cc

Sign in to add a comment