New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 800686 link

Starred by 3 users
Status: Verified
Owner:
vabr@chromium.org
hobby only
Closed: Jan 2018
Cc:
cfroussios@chromium.org
ioanap@chromium.org
ios-bugs-priority@chromium.org
ios-bugs@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android , Windows , iOS , Mac
Pri: 1
Type: Bug

Blocking:
issue 788701



Sign in to add a comment

Ensure that exporting passwords does not reuse the 60s grace period from viewing passwords

Project Member Reported by vabr@chromium.org, Jan 10 2018 
This is a privacy requirement from https://crbug.com/791009#c8:

When exporting the passwords, the user should be reauthenticated even if the user reauthenticated for viewing all passwords recently (before 60s).

This affects all platforms with reauthentication: Win, Mac, iOS, Android.

This also should be reflected in the design doc (go/chrome-pwd-export).

cfroussios@, ioanap@ -- if this is done for desktop and iOS, respectively, already, then please confirm here. Otherwise, please associate your related CLs with this bug once you create them. Thanks!
Project Member

Comment 1 by bugdroid1@chromium.org, Jan 17 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3e35f6776b0713feb49f1d323bfbfc36d1a1e517

commit 3e35f6776b0713feb49f1d323bfbfc36d1a1e517
Author: Christos Froussios <cfroussios@chromium.org>
Date: Wed Jan 17 10:07:34 2018

[Password Manager] Exporting passwords does not reuse previous reauth

Viewing passwords on the settins page requires reauth, but only once per
minute. Exporting the entire password list now ignores this grace period.

Bug:  800686 , 789561 
Change-Id: I5f46afc3f0ec123bac371a6fa2329f55c6c20632
Reviewed-on: https://chromium-review.googlesource.com/864149
Reviewed-by: Vaclav Brozek <vabr@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Commit-Queue: Christos Froussios <cfroussios@chromium.org>
Cr-Commit-Position: refs/heads/master@{#529690}
[modify] https://crrev.com/3e35f6776b0713feb49f1d323bfbfc36d1a1e517/chrome/browser/extensions/api/passwords_private/passwords_private_delegate_impl.cc
[modify] https://crrev.com/3e35f6776b0713feb49f1d323bfbfc36d1a1e517/chrome/browser/extensions/api/passwords_private/passwords_private_delegate_impl_unittest.cc
[modify] https://crrev.com/3e35f6776b0713feb49f1d323bfbfc36d1a1e517/chrome/browser/ui/passwords/password_access_authenticator.cc
[modify] https://crrev.com/3e35f6776b0713feb49f1d323bfbfc36d1a1e517/chrome/browser/ui/passwords/password_access_authenticator.h
[modify] https://crrev.com/3e35f6776b0713feb49f1d323bfbfc36d1a1e517/chrome/browser/ui/passwords/password_access_authenticator_unittest.cc
Project Member

Comment 2 by bugdroid1@chromium.org, Jan 22 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bd1e4ee068ffd71f791a9006d44ff5e0984dd207

commit bd1e4ee068ffd71f791a9006d44ff5e0984dd207
Author: Ioana Pandele <ioanap@chromium.org>
Date: Mon Jan 22 17:32:43 2018

Add re-authentication for password export

The re-authentication mechanism used for password export is almost the same as for password showing
and copying. When exporting passwords, previous successful authentications are ignored and the user
is always asked to re-authenticate.

Bug:  789122 ,  800686 
Cq-Include-Trybots: master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: I299ae9de8f8686e6c3fa5a38b30a85d2408324aa
Reviewed-on: https://chromium-review.googlesource.com/870782
Commit-Queue: Ioana Pandele <ioanap@chromium.org>
Reviewed-by: Sylvain Defresne <sdefresne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#530902}
[modify] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/app/strings/ios_strings.grd
[modify] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/BUILD.gn
[modify] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/password_details_collection_view_controller.mm
[modify] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/password_details_collection_view_controller_unittest.mm
[add] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/password_exporter.h
[add] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/password_exporter.mm
[modify] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/reauthentication_module.h
[modify] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/reauthentication_module.mm
[add] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/reauthentication_module_for_testing.h
[add] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/reauthentication_module_unittest.mm
[modify] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/reauthentication_protocol.h
[modify] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/save_passwords_collection_view_controller.h
[modify] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/browser/ui/settings/save_passwords_collection_view_controller.mm
[modify] https://crrev.com/bd1e4ee068ffd71f791a9006d44ff5e0984dd207/ios/chrome/test/app/password_test_util.mm
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 27 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2ed20c911418508951b29edbc4e84ee44a54fe05

commit 2ed20c911418508951b29edbc4e84ee44a54fe05
Author: Vaclav Brozek <vabr@chromium.org>
Date: Sat Jan 27 22:01:00 2018

[Android password settings] Separate timer for export

The user needs to reauthenticate both to view/copy and to export
passwords. Once reauthenticated, the authentication is skipped for the
next 60 seconds.

Through authentication, the user grants an easy access to anybody
holding their device in the next 60 seconds to the passwords on their
device.

The explanation message of the reauth prompt includes the scope of the
approval (e.g., "to view your passwords" or "to export your
passwords") of the _first_ reason to reauthenticate.

To protect the privacy of the user, if they grant the access for a
one-at-a-time access (e.g., viewing passwords) but then a bulk access
(e.g., export of all passwords) is requested within the grace period
of 60 seconds, Chrome ignores the grace period and requests the reauth
again.

Bug:  800686 
Change-Id: Icc96bf490b13ba7ba172bc88fdef0ffdefaf97f2
Reviewed-on: https://chromium-review.googlesource.com/883525
Commit-Queue: Vaclav Brozek <vabr@chromium.org>
Reviewed-by: Bernhard Bauer <bauerb@chromium.org>
Reviewed-by: Theresa <twellington@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532254}
[modify] https://crrev.com/2ed20c911418508951b29edbc4e84ee44a54fe05/chrome/android/java/src/org/chromium/chrome/browser/preferences/password/PasswordEntryEditor.java
[modify] https://crrev.com/2ed20c911418508951b29edbc4e84ee44a54fe05/chrome/android/java/src/org/chromium/chrome/browser/preferences/password/PasswordReauthenticationFragment.java
[modify] https://crrev.com/2ed20c911418508951b29edbc4e84ee44a54fe05/chrome/android/java/src/org/chromium/chrome/browser/preferences/password/ReauthenticationManager.java
[modify] https://crrev.com/2ed20c911418508951b29edbc4e84ee44a54fe05/chrome/android/java/src/org/chromium/chrome/browser/preferences/password/SavePasswordsPreferences.java
[modify] https://crrev.com/2ed20c911418508951b29edbc4e84ee44a54fe05/chrome/android/javatests/src/org/chromium/chrome/browser/preferences/password/SavePasswordsPreferencesTest.java
[modify] https://crrev.com/2ed20c911418508951b29edbc4e84ee44a54fe05/chrome/android/junit/src/org/chromium/chrome/browser/preferences/password/PasswordReauthenticationFragmentTest.java
[modify] https://crrev.com/2ed20c911418508951b29edbc4e84ee44a54fe05/chrome/android/junit/src/org/chromium/chrome/browser/preferences/password/ReauthenticationManagerTest.java

Comment 4 by vabr@chromium.org, Jan 28 2018

Status: Fixed (was: Assigned)
Thanks everybody!
This is now fixed on all platforms.

Comment 5 by rakurati@chromium.org, Jan 30 2018 

Verified on 66.0.3335.0 Canary on iPhone 8plus(iOS 11.3 beta) and iPad Air(iOS 10.3.3)

User is now always as asked for re-authentication on tapping export password

Link to video: 
https://drive.google.com/file/d/1vREutbnWl9DjnlYqn_VCY9mN78eH9J5n/view?usp=sharing

Comment 6 by vabr@chromium.org, Feb 20 2018

Blocking: 788701

Comment 7 by yangulo@chromium.org, Apr 10 2018

Status: Verified (was: Fixed)
Issue verified 
Version: Chrome Beta  66.0.3359.98
Device: iPhone 6
iOS: 11.2.6

User is ask to authenticate even after reauthenticated for viewing all passwords recently (before 60s).
https://drive.google.com/open?id=1KpJJWA_9UjjZjd9jCfRMhnargaexfU55

Comment 8 by ilmidawa...@gmail.com, Apr 11 2018 

Pijat tradisional n refleksi

Pada tanggal Rab, 17 Jan 2018 5:08 PM, bugdro… via monorail <
monorail+v2.3275348242@chromium.org> menulis:

Sign in to add a comment