New issue
Advanced search Search tips

Issue 784076 link

Starred by 1 user
Status: Duplicate
Merged: issue 678171
Owner: ----
Closed: Nov 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Malware running as user can read user's data

Reported by reachnis...@gmail.com, Nov 11 2017 
Hi team,

Chrome browser's password saving mechanism asks for Windows password (if the password is set for Windows login) before revealing the saved passwords.

This gives the user a sense of protection. Like many users, I used to think that chrome use this master password (windows password) to encrypt the saved password and a malware can't steal saved plaintext passwords without knowing the master password.

But, recently I was testing a post-exploitation password retrieval tool on my system (tool: https://github.com/AlessandroZ/LaZagne) which revealed all my saved chrome passwords despite having a master password.

Don't you think, either you should encrypt the passwords using this master password or at least warn the users that it is not providing any protection to saved cleartext passwords from a malware?

In encrypted form, even if the system is compromised, at least saved crdentials in chrome will stay safe. Even if the attacker elevates to local admin level and dumps the hashes, he still has to crack those to get the master password. 

I am using Chrome Version 61.0.3163.100 for Windows.

Thanks!

Comment 1 by elawrence@chromium.org, Nov 11 2017

Components: UI>Browser>Passwords
Mergedinto: 678171
Status: Duplicate (was: Unconfirmed)
Summary: Security: Malware running as user can read user's data (was: Security: Illusion of security in Chrome's saved password mechanism)
You are correct that prompting the user for the master password is a protection against lazy "attackers" and is not a true security boundary.

Passwords are in fact stored using encryption, but the key is a security object of the current user's Windows login account; if you run malware in that user's account, it has access to the same key and can thus decrypt the passwords. Encryption does help protect the data in scenarios where the attacker (e.g. someone who steals your disk) does not have access to your Windows password.

See https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model for background on why local attacks are outside of the browser's threat model. Beyond more complicated attacks described here, there are numerous much simpler vectors for harvesting passwords given unrestricted physical access to the PC: e.g. https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What-about-unmasking-of-passwords-with-the-developer-tools
Project Member

Comment 2 by sheriffbot@chromium.org, Feb 17 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment