New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Duplicate
Merged: issue 781138
Owner: ----
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment
link

Issue 792967: Chrome browser log-in password changed, but stored passwords still available

Reported by kishore....@gmail.com, Dec 7 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36

Steps to reproduce the problem:
1. Change your google passwords 
2. Open chrome browser
3. Sync shows out of sync, but the user still has access to stored data on the browser

What is the expected behavior?
If the sync is NOT working because of some security problems i would expect that all the data stored in the browser for the user should NOT be available to use in the browser.

What went wrong?
I lost a laptop so I changed my google password. But this has NOT changed anything in the browser. I was able to log into all my websites with the stored passwords. An expired password has NOT effect on the browser behavior. If someone gets through my windows credentials the browser is now open for anyone. This is a scary situation. Changing google password should disable access to all the user data until a re-authentication is performed.

Did this work before? N/A 

Chrome version: 62.0.3202.94  Channel: n/a
OS Version: 10.0
Flash Version:
 

Comment 1 by elawrence@chromium.org, Dec 7 2017

Components: Services>Sync
Labels: -Restrict-View-SecurityTeam allpublic
Mergedinto: 781138
Status: Duplicate (was: Unconfirmed)
This is working as designed. New data will not sync to the other instances until you enter the current password, but old data will remain available.

To protect data on devices from compromise, use the security features provided by the operating system (e.g. user account passwords and full disk encryption). https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model

Comment 2 by kishore....@gmail.com, Dec 11 2017

The idea of Working As Intended is NOT appropriate way to handle the situation. Have you thought about other ways to manage the situation. When the browser detects that the password is out of sync why is it still auto completing the passwords tied to an account? Should'nt this feature be disabled acknowledging the fact that the account is now out of sync? What precautions is the browser taking when it detects that the account out of sync? This issue is NOT about me finding my lost laptop. This is a security gap in how Chrome works.

Comment 3 by elawrence@chromium.org, Feb 1 2018

 Issue 808029  has been merged into this issue.

Comment 4 by daf...@gmail.com, Feb 1 2018

Im agree with the last comment. Everybody knows that breaking a local windos password is a game of kids as my previous case, just using some tools of hirens boot,the local password could be changed in one second. So my logic is the next:

If google is providing me a feature to save my passwords in a "secure" way, why google says that the best way to protect the passwords is a password of the OS? Google should protect him by himself. I really lime microsoft but everybody with some thechnical skill knows the weakness of it.
And google products are amazing, why not improve this weakness we found just to be 100 percent sure about the product?

Comment 5 by elawrence@chromium.org, Feb 7 2018

 Issue 809926  has been merged into this issue.

Sign in to add a comment