Web trackers exploit browser login managers
Reported by
stu...@anchev.net,
Jan 14 2018
|
|||
Issue descriptionChrome Version : 63.0.3239.108 OS Version: openSUSE Leap 42.3 URLs (if applicable) : https://senglehardt.com/demo/no_boundaries/loginmanager/ Other browsers tested: Add OK or FAIL after other browsers where you have tested this issue: Safari: not tested Firefox: not tested IE/Edge: not tested What steps will reproduce the problem? 1. Visit https://senglehardt.com/demo/no_boundaries/loginmanager/ 2. Follow the instructions on the page What is the expected result? Saved user login should not be exploitable by scripts What happens instead of that? Saved logins are exploitable. Read the full article for details: https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ UserAgentString: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36
,
Jan 16 2018
Able to reproduce this issue on reported version 63.0.3239.132 using Windows 10,Ubuntu 14.04 and Mac 10.13.1 with URL given in comment#0. i.e; Able to see saved User email and Password. This issue is seen in Firefox and IE as well. This issue is seen from M50.[50.0.2661.0]. Hence considering this issue as Non-Regression and marking as Untriaged. Tentatively adding Security component along with UI>Browser>Passwords for more inputs from the respective team.
,
Jan 17 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 by krajshree@chromium.org
, Jan 14 2018