Security: Unmasked Password incorrectly cleared after changing search criteria
Reported by
mail2al...@gmail.com,
Nov 27 2017
|
||||||
Issue descriptionHello, With the password management page and filtering a given site, I can see the password by clicking on the show button after entering password of the OS session. Then, by deleting the value entered in the filter field, the password displayed before remains visible for the first site in the list and that prevents me from seeing the password of the latter. The capture shows the problem encountered after emptying the filter field. Thank you. Regards, Ali Google Chrome Google Chrome is up to date Version 62.0.3202.94 (Official Build) (64-bit)
,
Nov 27 2017
This is indeed a functional bug; confirmed repro on Chrome 63. Deleting screenshots with PII. 1. Visit chrome://settings/passwords 2. Unmask the first password. 3. Perform a search using the UI on the tab that returns an account OTHER than the one you unmasked Observe: The unmasked password is shown as if it were the password of the first search result.
,
Nov 27 2017
,
Nov 27 2017
The getPassword_ function inside show_password_behavior.js gets confused such that a previously-retrieved password is returned (e.g. "this.password") even for a different |item|. I don't know much about Polymer, but it looks like iron-list reuses template nodes, which would imply that a single behavior could be reused for different items? show_password_behavior.js hasn't changed since it landed in 62.0.3175.0 via crrev.com/491454.
,
Nov 28 2017
jdoerrie@, who investigated this area most recently is already Cc-ed. There is no doubt that this has been an issue, so marking as Available.
,
Dec 4 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by elawrence@chromium.org
, Nov 27 2017Labels: Restrict-View-SecurityEmbargo
Summary: Security: Password is still visible after unmasking (was: Security: Password is still visible after )