VULNERABILITY DETAILS
Chrome's Password Manager is locked through the local user's master password (the OS account password) and access to saved passwords is only granted after the user types the OS password again in chrome://settings/passwords however this can easily be bypassed as detailed below.

The bug in question is related to the Chrome auto-fill feature: When a user navigates to a website for which chrome has saved a password, the log-in form is automatically filled with the username and password. Our attack simply uses the Chrome Developer tools to inspect the password field and unmask its characters (as opposed to the regular `*****` shown on normal password fields).

To perform the attack, a user who has physical or remote access to the computer (could also be done through a Chrome extension) can simply perform the following steps:

1. Navigate to the target website
2. Chrome fills the user/password fields automatically which already allows access to the website, however it does not give away the password (which is masked with asterisk characters)
3. Perform an "inspect element" on the password field.
4. Change the <input> element `type` field from `password` to `text`
5. The password is now shown in plain sight (which would have otherwise required a re-login to the local OS account if accessed through the Password Manager).

This attack doesn't require the user to access the file system, which makes it easy to deploy Chrome extensions that perform this attack without the user noticing. A list of available passwords can be accessed through chrome://settings/passwords without need for log-in.

VERSION
Chrome Version: 62.0.3202.94 stable
Operating System: OS X High Sierra Beta
 

Deleted: Screen Shot 2017-11-19 at 3.15.12 PM.png 280 KB

	Screen Shot 2017-11-19 at 3.15.12 PM.png 280 KB View Download