VULNERABILITY DETAILS

When storing/updating credentials from a login form, Chrome offers to store
the latest state of the input fields rather than the form state that was actually
submitted (race condition).
With a carefully crafted XSS attack, an attacker could dynamically change login
form values right after user submission, but before Chrome actually prompts the
user with the "save credentials" window. A user not paying attention would be
storing different credentials into Chrome saved passwords.
On subsequent logins, a user not paying attention to the autofilled form could
automatically log in as a different person using the credentials injected by the
attacker. The user could then be unknowingly performing harmful actions, such
as shopping or chatting while not realizing s/he logged in as someone else. Unlikely,
but that could be exploited.

VERSION

Chrome Version: 63.0.3239.132 (Build officiel) (64 bits)
Operating System: Mac OS X 10.12.6 (16G29)

REPRODUCTION CASE

Suppose you're attempting to log in as "jane@gmail.com" with password "1234abcd",
which would be valid on a given website. If you quickly change the email and/or pass
fields of that form to other values (ie. login: "robert@some-domain.com" and
pass "BobPassWord") *right* after submitting (with click or enter
key), then Chrome will offer to store these updated values (Bob's credentials)
*rather than* the values in the form at the time of submission (Jane's credentials).
When logging out and attempting to log back in, the form would be autofilled
with Bob's credentials, although the login attempt would have been succesful using Jane's credentials.
This looks like a race condition where Chrome stores the latest known state
of the form rather than the state that was actually used for the actual
form submission.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

n/a