New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 801901 link

Starred by 3 users

Issue metadata

Status: Duplicate
Merged: issue 798492
Owner: ----
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Web trackers exploit browser login managers

Reported by stu...@anchev.net, Jan 14 2018

Issue description

Chrome Version       : 63.0.3239.108
OS Version: openSUSE Leap 42.3
URLs (if applicable) : https://senglehardt.com/demo/no_boundaries/loginmanager/
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari: not tested
    Firefox: not tested
    IE/Edge: not tested

What steps will reproduce the problem?
1. Visit https://senglehardt.com/demo/no_boundaries/loginmanager/
2. Follow the instructions on the page

What is the expected result?
Saved user login should not be exploitable by scripts

What happens instead of that?
Saved logins are exploitable.


Read the full article for details:

https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

UserAgentString: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36



 
Labels: Needs-Triage-M63
Cc: sc00335...@techmahindra.com
Components: Security UI>Browser>Passwords
Labels: -Pri-3 M-65 Triaged-ET OS-Mac OS-Windows Pri-2
Status: Untriaged (was: Unconfirmed)
Able to reproduce this issue on reported version 63.0.3239.132 using Windows 10,Ubuntu 14.04 and Mac 10.13.1 with URL given in comment#0. i.e; Able to see saved User email and Password. 

This issue is seen in Firefox and IE as well. This issue is seen from M50.[50.0.2661.0]. Hence considering this issue as Non-Regression and marking as Untriaged.

Tentatively adding Security component along with UI>Browser>Passwords for more inputs from the respective team.

Comment 3 by battre@chromium.org, Jan 17 2018

Mergedinto: 798492
Status: Duplicate (was: Untriaged)

Sign in to add a comment