New issue
Advanced search Search tips

Issue 809567 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: Feb 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Autocomplete data can be stolen by malicious webpage

Reported by chromium...@gmail.com, Feb 6 2018

Issue description

VERSION
Chrome Version: 66.0.3340.0 (Official Build) canary (64-bit)
Operating System: Mac

REPRODUCTION CASE
I think I'm still able able to repro this  bug 753645 , 
1. load http://dev.jigawatt.co.uk/dev/autocomplete/steal.html
2. hold down the 'down' arrow key
3. email addresses should be shown on the page
 
Screen Shot 2018-02-06 at 16.29.44.png
44.6 KB View Download
Components: UI>Browser>Autofill
Labels: ReleaseBlock-Stable M-65 Security_Severity-Medium Security_Impact-Stable Pri-1
Owner: se...@chromium.org
Status: Assigned (was: Unconfirmed)
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows

Comment 3 by se...@chromium.org, Feb 7 2018

I cannot repro on M66. I am testing on Canary on Mac.

You are not pressing enter correct? Because then it would be normal that the site can access the values.

Let me know if you have take special steps, because simply clicking in the field and pressing the down arrow does not make the site show the email address for me.

Thanks!
Oops sorry! I was testing this on an old version. Unable to repro this on M64 stable and M66 canary. You can now mark this bug as "Wontfix" - Thanks!

Comment 5 by se...@chromium.org, Feb 10 2018

Status: WontFix (was: Assigned)
Project Member

Comment 6 by sheriffbot@chromium.org, May 20 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment