New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 782164 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: 2017-11-10
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug



Sign in to add a comment

[Password Generation] Autofilled password can be revealed if a user generated a password in the password field before

Project Member Reported by kolos@chromium.org, Nov 7 2017

Issue description

1) Visit any password form. A saved credential should be available.
2) Trigger password generation.
3) Move focus to username field. Trigger account selection and fill a saved credential.
4) Move focus to the password field.

What is the expected result?
The password value shouldn't be revealed. 

What happens instead?
The password value is revealed.
 
revealed_password.gif
2.2 MB View Download

Comment 1 by kolos@chromium.org, Nov 7 2017

Components: UI>Browser>Passwords>Generation

Comment 2 by kolos@chromium.org, Nov 7 2017

Cc: maxwalker@chromium.org

Comment 3 by kolos@chromium.org, Nov 8 2017

Labels: ReleaseBlock-Stable M-63
Status: Started (was: Assigned)
UI team requested to merge it back to M-63 because of privacy implications.

Comment 5 by kolos@chromium.org, Nov 9 2017

Labels: Merge-Request-63
UI team requested to merge it back to M-63 because of privacy risks.

Is the change well baked/verified in Canary, having enough automation tests coverage and safe to merge to M63?

Comment 7 by kolos@chromium.org, Nov 9 2017

Yes, the fix was verified in Canary. The CL includes enough tests coverage. 
NextAction: 2017-11-10
Thank you kolo@.
Lets wait for little more for canary baking, update the bug with Canary result tomorrow.
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 9 2017

Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: ranjitkan@chromium.org
Labels: TE-Verified-M64 TE-Verified-64.0.3264.0
Rechecked this issue on Windows 10, Mac 10.12.6, Ubuntu 14.04 using chrome version 64.0.3264.0 and fix is working as intended. Followed the steps mentioned in the description and observed that no existing saved password is revealed. Attached is a screen cast for the same.

Tagging issue with TE-verified labels.

Thanks.!
Missed the screen cast in the above comment. Attached here.
PwdNot Revealed.webm
806 KB View Download
The NextAction date has arrived: 2017-11-10
Labels: -Merge-Review-63 Merge-Approved-63
Approving merge to M63 branch 3239 based on comment #7 and #10. Please merge ASAP so we can pick it up for next week beta release. Thank you.
Project Member

Comment 14 by bugdroid1@chromium.org, Nov 11 2017

Labels: -merge-approved-63 merge-merged-3239
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/492aaed27629df27017cd95e4f250709a5a2ea6a

commit 492aaed27629df27017cd95e4f250709a5a2ea6a
Author: Maxim Kolosovskiy <kolos@chromium.org>
Date: Sat Nov 11 10:18:05 2017

[Password Manager] Don't reveal password value of a field if Chrome autofilled the field

Bug:  782164 
Change-Id: If8060cb64a001a36be2118dc84a67d115bcf8215
Reviewed-on: https://chromium-review.googlesource.com/758652
Reviewed-by: Vadym Doroshenko <dvadym@chromium.org>
Commit-Queue: Maxim Kolosovskiy <kolos@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#514879}(cherry picked from commit ad0c0b5f0de364c358fa8b4a6b6b55eeb646f3a7)
Reviewed-on: https://chromium-review.googlesource.com/765347
Reviewed-by: Maxim Kolosovskiy <kolos@chromium.org>
Cr-Commit-Position: refs/branch-heads/3239@{#453}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[modify] https://crrev.com/492aaed27629df27017cd95e4f250709a5a2ea6a/chrome/renderer/autofill/password_autofill_agent_browsertest.cc
[modify] https://crrev.com/492aaed27629df27017cd95e4f250709a5a2ea6a/components/autofill/content/renderer/password_autofill_agent.cc
[modify] https://crrev.com/492aaed27629df27017cd95e4f250709a5a2ea6a/components/autofill/content/renderer/password_autofill_agent.h
[modify] https://crrev.com/492aaed27629df27017cd95e4f250709a5a2ea6a/components/autofill/content/renderer/password_generation_agent.cc
[modify] https://crrev.com/492aaed27629df27017cd95e4f250709a5a2ea6a/components/autofill/content/renderer/password_generation_agent.h

M63 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge  into the release branch ASAP. Thank you.



Comment 16 by kolos@chromium.org, Nov 13 2017

Status: Fixed (was: Started)

Sign in to add a comment