VULNERABILITY DETAILS
Google Chrome password repository easily accessible after closing Google Chrome session.
Design or implementation issue that substantially affects the confidentiality or integrity of user data.

VERSION
Chrome Version: [64.0.3282.119] + [Official Build (64-bit)]
Operating System: [Microsoft Windows 10 Pro 10.0.16299 N/A Build 16299]

REPRODUCTION CASE

Hello there, I realized this after my previous laptop was stolen. Here I found this big issue from my perspective on google Password Manager.
In my laptop, I was having accounts like Dropbox, one drive, google drive. Fortunately, Dropbox, Onedrive, and Google have an alternative to disassociate a device from the account, so all the updates on my files won't be affected if the thief decides to delete them all. But here is the issue, when I wonder, what happens with the passwords archived inside google chrome even if somebody has not my Gmail password but the chrome still being accessed by the thief?. So I reproduce the issue on my new laptop. Here the steps:

Firstly I disassociated my google chrome session from that stolen laptop
In my new laptop, I logged in google chrome, wait for the update of all my info such as bookmarks, passwords, etc. 
Donde this, I closed Chrome. 
Opened again, as it should all my info was there even passwords.
Now I logged out from google chrome, a notification popped up saying the next: "Changes to your bookmarks, history, passwords, and other settings will no longer be synced to your google account. However, your existing data will remain stored in your Google account …" I hit OK.
Now I opened google chrome again and it started with a simple account.
I went to the preferences, password section and all my passwords from the closed session was there.
With Dropbox, I understand that are files, and there is no function to delete all the files inside a remote computer, but now I'm not talking about files, I'm talking about passwords, keys, such a sensitive credentials for different sites. Like a password vault. And this should never keep a copy on the computer, even worst, without a master password that protects it!
I got really worried!

As a basic good practice I have my computer with windows account under password, so google chrome is asking me for the local computer password in order to reveal the passwords, but if I take out the windows user password, google chrome is just showing me the passwords for the signed out user. Even I tried restarting the computer to see if something changes but no, passwords still there, very easy to see. In addition, even a thief hasn't my local user password, with a simple tool such as Hirens boot he could change my admin local password on the computer and login windows.

So in that moment, i realized that the thief easily could access all my accounts without any issue :(. Just opening chrome, going to settings, and going to the passwords section, he was able to see all of them!
So the only move I had, was to go one by one account and service (Facebook, Hotmail, Dropbox, bank, cards, and so on) changing the passwords in order to at least make the passwords contained in the stolen laptop to be obsolete.

In this case, it was a stolen computer, a device that I have no more control over it, but it could be some amateur user login-in a café using a public computer, and after logging out of his chrome session and leaving the room with peace of mind… all his passwords actually still stored on that computer he used.
As a recommendation for fix, as some applications do, to see the passwords protect it under a master password never located in the local computer. So google smart lock can work underneath the hood but not a common human. An example could be as Symantec identity safe works (a free password vault app or web app) : you have to log in to your Symantec account (free) and after type your master password in order to get access to all your passwords. 2-factor authentication in this case. I know Google also provides the 2-step verification but I think that is not as common or mandatory to all users, it is just an option. And also this 2 step verification doesn't cover this issue I am writing because the passwords are located locally on each computer a user login.

That being said, please don't hesitate to write me if you have any question.
Hoping to be helpful to enforce the security of your awesome developments!

Have a groovy day!

BR

Diego.-