New issue
Advanced search Search tips

Issue 801415 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
kolos@chromium.org
vasi...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug

Blocking:
issue 699530



Sign in to add a comment

Security: Chrome Username/Password Saving Drag-and-Drop Bug

Reported by corrrosi...@gmail.com, Jan 12 2018 
VULNERABILITY DETAILS
Chrome's "Save Password" feature will attempt to save the value of a
username field from before modifications done by having contents
dragged from it using the cursor.

This could result in a user accidentally saving their password in the
username field, and it being displayed in plaintext the next time the site
is accessed. It also breaks the ability to login, as the details saved
would not work.

VERSION
Chrome Version: 63.0.3239.132 (Official Build) (64-bit) (stable)
Operating System: Windows 8.1 Enterprise

REPRODUCTION CASE

1) A user navigates to a site which features a single "Username" and
"Password" field to login with.
2) The user types their username, and doesn't hit <TAB> (broken keyboard,
mistap, etc), and accidentally enters their username (Mary) and password
(BatteryStaple) in the username field - so it says "MaryBatteryStaple".
3) The user realises their mistake, so highlights then drags their
password to the password field.
4) The user presses <ENTER> or clicks the login button, to successfully
log into the site.
5) The user is prompted to remember their login details - Which will be
in the format:

Username: MaryBatteryStaple
Password: BatteryStaple
ChromePasswordDragBug.png
34.4 KB View Download

Comment 1 by dominickn@chromium.org, Jan 12 2018

Cc: vasi...@chromium.org
Components: UI>Browser>Passwords
Labels: Security_Severity-Low Security_Impact-Stable OS-Windows Pri-2
Owner: vabr@chromium.org
Status: Assigned (was: Unconfirmed)
This doesn't seem like a security issue, because the only way to exploit it is to have local access to the computer on which the username/password is stored (which is outside of Chrome's threat model). It may be a quirk of drag-and-drop text on Windows.

Over to the passwords team to take a look, but I'm inclined to lift the security restrictions.

Comment 2 by vasi...@chromium.org, Jan 12 2018

Blocking: 699530
Cc: kolos@chromium.org
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Severity-Low -Security_Impact-Stable Type-Bug
Owner: ----
Status: Available (was: Assigned)
It's not a security bug but an interesting flaw. The username was changed by a user action and not JS. Nevertheless, the password manager didn't capture it.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 14

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by kolos@chromium.org, Jan 17 (6 days ago)

Labels: -Pri-2 Pri-3
Status: Available (was: Untriaged)
Chrome doesn't detect drag-and-drop events as a change (and also Ctrl+V events). A user has to type something.

Sign in to add a comment