New issue
Advanced search Search tips

Issue 780582 link

Starred by 2 users
Status: WontFix
Owner:
rogerta@chromium.org
Closed: Feb 2018
Cc:
elawrence@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Can view any password saved by chrome without reentering google password

Reported by naco...@gmail.com, Nov 1 2017 
VULNERABILITY DETAILS
In Chrome://settings/password in the Chrome browser there is an icon to view the password in question.  There is no password sign in required to see this.  In other words, if you have your browser set to the normal automatic sign in to google, and step away from your computer for a minute, anyone can go to the settings and hit the icon to view the password for each and every site that chrome has saved the password for.  They should definitely have to reenter that google password to view the passwords.

VERSION
Chrome Version: latest stable
Operating System: Windows 7 Ultimate

REPRODUCTION CASE
To reproduce the issue just go to chrome://settings, type password into the search and then click the eye icon to view each password.
exploit.png
135 KB View Download

Comment 1 by awhalley@chromium.org, Nov 8 2017

Components: UI>Browser>Passwords
Labels: Security_Severity-Low Security_Impact-Stable OS-Mac
Owner: rogerta@chromium.org
Hi rogerta@ - routing this out of an abundance of caution.  I can't repro this myself. Does it key off a windows setting that this user could enable, perhaps?

Comment 2 by awhalley@chromium.org, Nov 8 2017 

possibly related to  issue 768306
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 8 2017

Labels: Pri-2
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 8 2017

Status: Assigned (was: Unconfirmed)

Comment 5 by elawrence@chromium.org, Feb 14 2018

Cc: elawrence@chromium.org
Status: WontFix (was: Assigned)
I'm not able to reproduce this in current builds, and the temporary regression noted in #2 is a credible explanation.

If you can still reproduce this issue, please update the issue with your current chrome version from chrome://version.

Comment 6 by naco...@gmail.com, Mar 9 2018 

I just tried to reproduce it.  I typed google passwords in the search bar which brought me to a password page (good behavior).  After entering the password it took me to the page.

I tried a couple other configurations- closing chrome and reopening it 

1. closing the password page before logging out... when I tried going back to the page it required I re-enter my password (good behavior!, and a change from before.)
2. leaving the password window open, with my browser set to restore tabs- which brought the passwords page up without requiring I reenter my password (better behavior than before, but still a chance for someone to think they'd secured things, by logging off, and not really have secured things.

Comment 7 by naco...@gmail.com, Mar 9 2018 

Version 65.0.3325.146 (Official Build) (64-bit)
Project Member

Comment 8 by sheriffbot@chromium.org, May 24 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment