UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce the problem: 1. Change your google passwords 2. Open chrome browser 3. Sync shows out of sync, but the user still has access to stored data on the browser What is the expected behavior? If the sync is NOT working because of some security problems i would expect that all the data stored in the browser for the user should NOT be available to use in the browser. What went wrong? I lost a laptop so I changed my google password. But this has NOT changed anything in the browser. I was able to log into all my websites with the stored passwords. An expired password has NOT effect on the browser behavior. If someone gets through my windows credentials the browser is now open for anyone. This is a scary situation. Changing google password should disable access to all the user data until a re-authentication is performed. Did this work before? N/A Chrome version: 62.0.3202.94 Channel: n/a OS Version: 10.0 Flash Version:
Dec 7 2017,
This is working as designed. New data will not sync to the other instances until you enter the current password, but old data will remain available. To protect data on devices from compromise, use the security features provided by the operating system (e.g. user account passwords and full disk encryption). https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model
Dec 11 2017,
The idea of Working As Intended is NOT appropriate way to handle the situation. Have you thought about other ways to manage the situation. When the browser detects that the password is out of sync why is it still auto completing the passwords tied to an account? Should'nt this feature be disabled acknowledging the fact that the account is now out of sync? What precautions is the browser taking when it detects that the account out of sync? This issue is NOT about me finding my lost laptop. This is a security gap in how Chrome works.
Feb 1 2018,
Issue 808029 has been merged into this issue.
Feb 1 2018,
Im agree with the last comment. Everybody knows that breaking a local windos password is a game of kids as my previous case, just using some tools of hirens boot,the local password could be changed in one second. So my logic is the next: If google is providing me a feature to save my passwords in a "secure" way, why google says that the best way to protect the passwords is a password of the OS? Google should protect him by himself. I really lime microsoft but everybody with some thechnical skill knows the weakness of it. And google products are amazing, why not improve this weakness we found just to be 100 percent sure about the product?
Feb 7 2018,
Issue 809926 has been merged into this issue.
Sign in to add a comment