VULNERABILITY DETAILS
Chrome automatically enters saved passwords for HTTP pages.

When combined with basic attack tools another attackers on the same LAN and attackers in control of an upstream router can extract saved passwords from a users saved password list.

VERSION
Chrome Version: 62.0.3202.62 for Windows 10 - 64 Creator update and 
This problem also 61 on Android Nougat.

REPRODUCTION CASE (Basic)
*When the user browses to a http site that the user has saved a password for the password will be filled for insecure transmission.

REPRODUCTION CASE advanced
*Using a man in the middle attack (including arp cache poisioning).  Redirect the user to a login page for an http site that they have saved their password for.  When the user browser loads the login page add javascript to the network transmission that posts their username/password to your server.

Through a series of redirects the attacker could extract many passwords from a single user.

SOLUTION: COPY FIREFOX
*Firefox doesn't load the password for non-secured sites until the user clicks in the username filed and clicks pas the warning that says "this connection is not secure.  Logins entered here could be compromised".