VULNERABILITY DETAILS
I had developed a console application which can extract Chrome (on windows) user detail like username, password, credit card number and auto fill etc.
Note: You don't need administrative privilege for this.

Why it works:
Chrome rely on Crypt32.dll for encrypting sensitive detail on Windows.
But the databases created by Chrome are not password protected.
So anyone can access these and decrypt those password value.

The CryptProtectData[Crypt32.dll] function performs encryption on the data in a DATA_BLOB structure. Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer. For information about exceptions, see link https://goo.gl/1tLmLs for its working. 

Database:
 location: C:\Users\{%user%}\AppData\Local\Google\Chrome\User Data\{chromePofile} // by default it is 'Default'
 login database: 'Login Data'
 Other Important Data: 'Webdata'


VERSION
Chrome Version: 63.0.3239.132 (Official Build) (64-bit) + stable
Operating System: Microsoft Windows [Version 10.0.16299.125]

REPRODUCTION CASE
I had attached the console application developed by me.
Run that application enter the current User Name of Windows User currently logged in.
ant it will list all URL, username, Password(Plain Text decrypted) of 'Default' profile used by chrome.
if you want to check it for another profile. just pass that profile name as parameter to the application.

Example:
ConsoleApp1.exe
ConsoleApp1.exe "Profile 1"  //for other profile
  

What Hacker will gain:
They can get total control over Google account of that user. 
if he/she don't have 2-Factor authentication activated.

*****NOTE*****
I don't know whether it is possible in Mac operating system or not. 
As I only have Windows PC.


 

Deleted: Release.tar 6.3 MB

Release.tar 6.3 MB Download