Issue metadata
Sign in to add a comment
|
Security: chrome.webRequest.onBeforeRequest in a Chrome extension exposes password in plain text when authenticating
Reported by
saianude...@gmail.com,
Mar 1 2018
|
||||||||||||||||||||
Issue descriptionSteps to reproduce: 1. Working example @https://github.com/anudeepsai/google-password-reveal 2. Download the extension (in a sandbox preferably) and install the extension. 3. Steps to be followed in the github post Browser/OS: Chrome Browser, Chromium with Ubuntu. I don't think this is version specific
,
Mar 3 2018
Interestingly facebook actually implements encryption while sending sensitive information. The credentials are obfuscated. Almost every other website uses plain text for sending passwords. example : github. But thanks for the update. I guess we've to keep this in mind while developing applications.
,
Mar 3 2018
For what it's worth, obfuscating the data during transit doesn't help much because a MITM could simply replace the client script code that performs the obfuscation.
,
Jun 7 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Mar 1 2018Status: WontFix (was: Unconfirmed)