New issue
Advanced search Search tips

Issue 798879 link

Starred by 1 user
Status: Duplicate
Merged: issue 798492
Owner: ----
Closed: Jan 2018
Cc:
se...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac , Fuchsia
Pri: 3
Type: Bug-Security



Sign in to add a comment

Security: setting autofill to off does not prevent autofill

Reported by jp.ste...@gmail.com, Jan 3 2018 

Chrome leaks personal information through the autofill functionality.  Disabling autofill and auto login does NOT prevent this attack.





VULNERABILITY DETAILS
Setting autofill=off

The basic attack information is detailed here:
https://thehackernews.com/2018/01/browser-password-managers.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29&_m=3n.009a.1653.hs0ao09l5b.100c

The workaround listed here is to disable autofill.  Disabling this along does not prevent chrome from filling in login in formation.  Neither does disabling auto-login.


VERSION

Chrome Version 63.0.3239.84 (Official Build) (64-bit)

Mac OS X El Capitan: 10.11.6 (15G17023)


REPRODUCTION CASE
Under:
chrome://settings/passwords
set manage passwords to ON
set auto log-in to ON
Under 
chrome://settings/autofill
set autofill to ON

Go to facebook.com
Log in, set chrome to save password.

Under:
chrome://settings/passwords
set manage passwords to OFF
set auto log-in to OFF
Under 
chrome://settings/autofill
set autofill to OFF

Close and re-open chrome
return to facebook.com

log in form shows email and password filled in.

Comment 1 by metzman@chromium.org, Jan 4 2018

Cc: se...@chromium.org
Components: UI>Browser>Autofill
Labels: Security_Impact-Stable OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows Pri-3
Thanks for the report!

I don't think this is a security issue with chrome though. 

Third party scripts misbehaving is a problem with particular websites, not really the browser. 

It seems that we are already aware of this trick exploiting autofill and are trying to block it (https://bugs.chromium.org/p/chromium/issues/detail?id=448539) but in any case misbehaving scripts will always be able to do damage.

As for disabling autofill not working as you'd expect, I agree this behavior does seem weird, though I don't think this is really a security issue. In any case saved passwords and usernames can be deleted manually by clicking on the credentials' hamburger menu.

sebsg@ what do you think?

Comment 2 by elawrence@chromium.org, Jan 4 2018

Labels: -Restrict-View-SecurityTeam allpublic
Status: WontFix (was: Unconfirmed)
The attack mentioned in the original report is tracked as Issue 798492; it's an issue with the Password Manager's behavior.

Perhaps confusingly, "Autofill" is NOT automatic (it always requires user interaction) and the AutoFill setting and triage component does NOT cover the automatic filling behavior of the Password Manager.

To make the password manager behave as AutoFill does (blocking this attack), see  chrome://flags/#fill-on-account-select 
 and/or https://textslashplain.com/2017/12/28/taking-off-your-nametag/.

Comment 3 by elawrence@chromium.org, Jan 4 2018

Mergedinto: 798492
Status: Duplicate (was: WontFix)

Comment 4 Deleted

Sign in to add a comment