Password auto filled and submitted for the wrong site
Reported by
ste...@multiplay.co.uk,
Oct 16 2017
|
|||||
Issue descriptionVULNERABILITY DETAILS Saved login details for multiple sites on the same domain automatically fills and submits the wrong details even when an exact match is available. VERSION Version 61.0.3163.100 (Official Build) (64-bit) Operating System: Windows 10 Pro v1703 build 15063.608 REPRODUCTION CASE If a password is saved for two different sites under the same domain then the password for the wrong site can be automatically completed and hence submitted by the user. In my case I had passwords saved for: overseer-lb.mydomain.com overseer.mydomain.com When visiting overseer.mydomain.com the authentication details for overseer-lb.mydomain.com where automatically filled and hence submitted instead of using the ones for overseer.mydomain.com. This was brought to light when my login to several sites suddenly stopped working after a chrome update, so I believe this is a regression in behaviour of the password management process, which now fails to use the details for an exact host match when one is available. While it looks like this is limited to a single domain, IMO it still presents a security risk.
,
Oct 16 2017
This is currently working as intended. We use publicsuffix.org to match domains. Without this, www.facebook.com and m.facebook.com would not share passwords. We are considering to build an opt-out for certain domains. For the reason specified above, I don't expect that we will change the default. Lifting visibility restriction.
,
Oct 16 2017
,
Oct 16 2017
Is there any sort of priority system, whereby we'd "prefer" to fill credentials with the more-specific hostname?
,
Oct 17 2017
ste...@ could you please clarify what does automatic filling mean? It's filled on page load or you need to click on the username/password field and to choose credentials? elawre...@ there are just 2 gradations, or origin fully matched (and the credentials are filled on load), they are PSL matched (and they should be filled only when the user chooses this). So fully matched credentials have priority on PSL matched ones.
,
Oct 17 2017
In my case the value was automatically filled and all I had to do was click login, which is why its an issue IMO. There was no way for the user to know that the update has broken the previously expected behaviour and has auto filled the user details for non-direct match. If I had selected a user in the dialog I would have seen information about what credentials where being chosen but this was not the case. While I appreciate the concept for publicsuffix.org I can’t think of any reason why a direct match would not be used in preference to a non-direct match when automatically filling in login details, as its amost certainly not what the user would expect to happen.
,
Oct 18 2017
ste...@ Automatic filling of PSL matched credentials is incorrect. But I can't reproduce it. Don't you remember whether you selected at least once PSL matched credentials from the username field menu? If yes credentials should be saved automatically as full match (it's considered user selection of PSL matched credentials as confirmation that these sites belong to the same entity) and it explains what happens. You can check whether full match is saved by going to chrome://settings/passwords
,
Oct 18 2017
In the past I've selected credentials, but not recently. The site in question has worked for months with the automatically filled credentials, then suddenly stopped working. Initially we suspected a security breach but after much investigation it turned out to be automatically filled details from the wrong (old) site which was similar. When you say you can check if there is a full match from the passwords dialog what are you referring to? Looking there I can see to two matches, that's how we identified the issue, but I can't see anything that identifies a "full match".
,
Oct 18 2017
On chrome://settings/passwords you can check for which domains credentials are saved (in column website or by clicking on 3 dots menu on password line entry and choosing details). Probably in your profile the same credentials for both overseer.mydomain.com and overseer-lb.mydomain.com are saved. Is it true?
,
Oct 18 2017
That's the problem, overseer.mydomain.com and overseer-lb.mydomain.com have the same username but different passwords saved, and its auto filling with the details for overseer-lb.mydomain.com for the overseer.mydomain.com host.
,
Oct 20 2017
Do I correctly understand that the situation is the following: There are 2 credentials with the same username and passwords "p1" and "p2", p1 for domain overseer.mydomain.com and p2 for domain overseer-lb.mydomain.com and they are saved in Chrome, such that p1 and p2 correspond to right domains. And then password p2 is filled automatically for overseer.mydomain.com If yes, it looks incorrect, since I can't reproduce such situation on my machine, could you please attach Password Manager log and I'll try to check what's happening. For recording log please 1.Go in one tab to chrome://password-manager-internals 2.In another tab go to page and to check that credentials from wrong site are filled. 3.Save log from the first tab to a file and attach it to this bug The log contains urls but it doesn't contain any username/passwords.
,
Dec 8 2017
steven@, Could you please respond as per C#11? Thanks..!
,
Apr 10 2018
This issue was fixed on https://chromium-review.googlesource.com/c/chromium/src/+/852254 |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by elawrence@chromium.org
, Oct 16 2017Components: UI>Browser>Passwords