Issue metadata
Sign in to add a comment
|
Gmail password changed but Chrome still shows stored passwords in a different computer
Reported by
kishore....@gmail.com,
Nov 3 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Steps to reproduce the problem: 1. launch chrome in two machines 2. On Machine A: Sign out of all google sessions from within Gmail ==> "Last Activity Details" and Sign out of all web sessions 3. Change Google password 4. Now on machine two open your fav site whose credentials are stored in chrome. Chrome allowed me to use my fav site passwords. The password changes has NO effect on the Chrome. I did NOT have to log into Chrome What is the expected behavior? I should be also logged out of Chrome and the password assist should NOT work any longer What went wrong? chrome showed that my account is out of sync, but the password assist is still working Did this work before? N/A Chrome version: 61.0.3163.100 Channel: n/a OS Version: 10.0 Flash Version: Shockwave Flash 27.0 r0
,
Nov 3 2017
ewald thank you. I looked at he issue 766092 . In my case I lost my laptop and yes my windows password kinda secure and NOT a simple password. However if someone can get thru my windows password then I am basically exposed. So I signed-out from all web sessions from within Gmail and I changed my google password. I still can see that I am vulnerable. How can I make my situation better??
,
Nov 3 2017
Correct, this is WAI. When you change your Google Password, it puts Chrome into an "auth error" state, which stops sync. However, that just stops the *syncing* of data between your local Chrome profile and your Google Account (i.e. it breaks the connection between your device & Google's cloud). However, any data that's *already been synced* to that device is part of the local profile. The data isn't tied to your Google Account, and it doesn't get cleared automatically when sync is turned off (or stops working due to an auth error). @kishore - I'm sorry to hear that you lost your laptop :( It's good to hear that you have a Windows password protecting your laptop. I don't have any other suggestions for remotely wiping your local Chrome data on that device. Note that even if we did tie the data to your Google Account, it wouldn't provide any security guarantees; the attacker could just disconnect your laptop from the internet as soon as he obtains it, which would prevent Chrome from even seeing that you changed your password and getting an auth error. Marking as WontFix since this is WAI. Best of luck finding your laptop!
,
Dec 7 2017
Issue 792967 has been merged into this issue.
,
Dec 11 2017
The idea of Working As Intended is NOT appropriate way to handle the situation. Have you thought about other ways to manage the situation. When the browser detects that the password is out of sync why is it still auto completing the passwords tied to an account? Should'nt this feature be disabled acknowledging the fact that the account is now out of sync? What precautions is the browser taking when it detects that the account out of sync? This issue is NOT about me finding my lost laptop. This is a security gap in how Chrome works.
,
Dec 11 2017
Re #5: An attacker with physical access to your computer and the permission to log into your user account need not bother using Chrome at all. They can simply extract the data directly from the encrypted storage (which is encrypted with your user account's private key) without even launching Chrome. https://chromium.googlesource.com/chromium/src/+/lkcr/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model
,
Dec 12 2017
Firefox has a concept of Master Password which helps protect the password file with a key that is NOT generated from your windows password.
,
Feb 3 2018
Issue 808820 has been merged into this issue.
,
Feb 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Nov 3 2017Components: Services>Sync