New issue
Advanced search Search tips

Issue 782688 link

Starred by 3 users
Status: Duplicate
Merged: issue 677220
Owner: ----
Closed: Nov 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 3
Type: Bug



Sign in to add a comment

Password input form vulnerability

Reported by ramirodu...@gmail.com, Nov 8 2017 
PRIVACY ISSUE
Able to capture password keystroke over Google Chrome navigator

VERSION (Tested on two computers):
Computer 1:
Chrome Version: Version 62.0.3202.89 (Build official) (64 bits)
Operating System: macOS High Sierra Version 10.13
Computer 2:
Chrome Version: Version 61.0.3163.100 (Build official) (64 bits)
Operating System: OS X El Capitan Version 10.11.6

REPRODUCTION STEPS
    After succesfully executing a simple keylogger, programmed in C 
language, on our MacBook Pro machines, we tried to type passwords 
on different browsers and log it all the keystrokes events on a log 
file. After trying in Safari aswell as in Firefox, without succes, 
we decided to give it a try in Google Chrome and we found out that 
the browser doesn't have any countermeasure against this vulnerability 
thus we decided to report it. 
    We found out that this attack could escalate into a bigger issue,
by letting the attacker log all the passwords typed by the user inside
Google Chrome on a remote log server.  Meaning the attacker will not 
only get everything the user types but in addition, all user passwords 
that could grant the attacker access to all sensitive information of 
the user.


CONTRIBUTORS
Finquelstein, Ian - hannothompsonfi95@gmail.com
Dutto Luquez, Ramiro - ramirodutto@gmail.com

We provied some screenshots to prove it.

Regards.
Chrome capture.png
206 KB View Download
Firefox capture.png
218 KB View Download

Comment 1 by manoranj...@chromium.org, Nov 8 2017

Components: UI>Browser>Passwords
Labels: OS-Mac Type-Bug

Comment 2 by msramek@chromium.org, Nov 9 2017

Components: Security
+Security to comment on this; I assume this is a case of local attacker not being in the threat model?

I'd be interested in more information though. Regardless of how Firefox treats password input fields, you still have to actually press the keys to type the password, so it sounds like this would depend a lot on the particular implementation of the keylogger?

Comment 3 by rsesek@chromium.org, Nov 10 2017

Mergedinto: 677220
Status: Duplicate (was: Untriaged)
We need to rework the way we enable secure text input to prevent this, but this isn't considered a vulnerability because local attackers are outside our threat model (i.e., if an attacker has already installed a key logger, then they're already persistent on the device).

https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model

Comment 4 by ramirodu...@gmail.com, Nov 10 2017 

While it's true that the attacker must have had prior access to the
computer, we consider that it is a small security
implementation that contributes to the overall security of the system
(other process and the OS) of which chrome is part.
Every application that we tested contemplates this security measure
except for Chrome.

Sign in to add a comment