When a page is loaded that has associated cached credentials, Chromium inserts these credentials into the respective fields.
Text fields are immediately available in page DOM.
Password fields are available in page DOM only after some interaction. This interaction can be a single click anywhere on screen or a keypress.

In a Man-in-the-Middle attack or Cross-Site Scripting attack a user would only need to click or press a key to have their cached password captured from Chromium.

Firefox & Safari prevent this by requiring clicking on the field itself and selecting the username from a dropdown. This also prevents the fields from being hidden from users. This was also previously the case in Chromium.

VERSION
Chrome Version: 64.0.3282.186
Operating System: Windows 10.0.16299 Pro

MitM ATTACK EXAMPLE
Using this behaviour it is possible to reliably capture the administrator credentials for various common routers WITHOUT having the ‘victim’ login to see the credentials being sent in a POST request.

(1-5 are standard Karma attack, ignore if the steps are known)

1. TARGET is connected to their own WIFI_NETWORK
2. ATTACKER sends 802.11 DEAUTH to TARGET
3. TARGET is disconnected from WIFI_NETWORK
4. TARGET sends wireless PROBES for other known networks
5. ATTACKER responds to PROBES, causing TARGET to connect to MALICIOUS_WIFI

(6-9 are related to the actual vulnerability being reported)

6. ATTACKER triggers CAPTIVE PORTAL detection (On Windows this uses the default browser)
7. CAPTIVE PORTAL is hosted by ATTACKER on the most likely IP address used by router interface (must be guessed)
8. CAPTIVE PORTAL has invisible fields which TARGET Chromium populates with username and password
9. If TARGET clicks anywhere on CAPTIVE PORTAL, the username and password are both exposed to the DOM of the malicious CAPTIVE PORTAL and sent to ATTACKER.

(10-12 are slight additions that make the attack more useful, not specifically relevent to Chromium)

10. ATTACKER stops MALICIOUS_WIFI network
11. TARGET automatically reconnects to WIFI_NETWORK
12. CAPTIVE_PORTAL is still running, when connected to WIFI_NETWORK the username and password are used to capture/change any information in the admin interface. In many cases this includes the network name and PSK.

CODE:
The attached files execute the attack using Kali Linux on a Raspberry Pi.
HostAPD is currently configured to use the Karma attack as well as expose the 'Starbucks_wifi' network for debugging.

 

Deleted: 1-clean.sh 305 bytes

1-clean.sh 305 bytes View Download

Deleted: 2-ipstart.sh 50 bytes

2-ipstart.sh 50 bytes View Download

Deleted: 3-firewall.sh 722 bytes

3-firewall.sh 722 bytes View Download

Deleted: 4-dnsmasq.sh 55 bytes

4-dnsmasq.sh 55 bytes View Download

Deleted: 5-portal.py 854 bytes

5-portal.py 854 bytes View Download

Deleted: 6-hostapd-wpe.sh 49 bytes

6-hostapd-wpe.sh 49 bytes View Download

Deleted: hostapd-wpe.conf 36 bytes

hostapd-wpe.conf 36 bytes Download

Deleted: portal.html 14.3 KB

portal.html 14.3 KB View Download