VULNERABILITY DETAILS

Leaching stored credentials without password of current user

VERSION
Chrome Version: [63.0.3239.84 (Official Build) (64-bit)] + [stable]
Operating System: [My OS: Windows 10 pro, Version 1709 could not find my service pack]

I have reproduced it on several different Windows machines

REPRODUCTION CASE
How to leach stored credentials in Chrome from a user that did not log out.


If you log in to Chrome on the PC you can synchronize the passwords, and log out again, and the person that is logged in on the PC will not know it. And you can log into Chrome on your own pc and, and then you can see the other person's stored credentials.

How to do it:

1. Open or access Chrome, without logging the other user out
2. In the top right corner of your tab there is a little icon, just at the left 
   side of the minimizing button. Click it and sign in with your own gmail
3. A pop-up message will appear, it will ask you to synchronize passwords, Just 
   click “ok”
4. Now press the the 3 dots right under the red X for closing the window, and 
   select “Settings”
5. At the top you will see “People” and press the sign out button
6. When you press the sign out button a pop-up message appears, and in the 
   bottom of it just click on the “Also remove your existing data from this 
   device” and sign out. Performing this step, makes it harder to trace
7. Sign into any device where you know the password of a user, and open Chrome, 
   and sign into Chrome like step 2 and 3
8. Open “Settings” (step 5), and scroll down to the bottom and press “Advanced”
9. Scroll down to “Manage passwords” and select it.
10. It will the show you all your saved Credentials including those synchronized 
    from the other user
11. By clicking the eye and entering you local user password, you can see the 
    full credentials of the other user that you leached the stored credentials 
    from.

A possible solution:
  - ask for local user password before the synchronization in step 3