Security: Second Chrome user can recover passwords of previously logged in user without reauthentication.
Reported by
andrew.g...@csx.cloud,
Mar 10 2018
|
|||||||||
Issue descriptionVULNERABILITY DETAILS After one user logs out of Chrome, the next user that logs in can import the first user's settings and passwords without authenticating that account. The first user's passwords are then visible in plaintext by authenticating with UAC. Perhaps I am missing something regarding this being intentional, but it doesn't seem like a "feature". VERSION Chrome Version: Version 65.0.3325.146 (Official Build) (64-bit) Operating System: Windows 10, multiple builds REPRODUCTION CASE The demonstration is in this video on my OneDrive. https://1drv.ms/v/s!Aur2I4lRyYuanoxfIVl6kDmhVYt89Q Near the end, I start getting confused by what accounts Chrome is caching and what information is saved. Whether that is because I did this late Friday night after a long week or because Chrome makes this information difficult to understand is something I will figure out tomorrow.
,
Mar 10 2018
Steps for reproduction: 1. Be logged in to Chrome as user 1. 2. Logout of user 1. 3. Login as user 2. 4. Respond in the affirmative that the previous logged in user was you and initiate sync of their data. 5. Never does it prompt for authentication of user 1's account.
,
Mar 12 2018
I'm unsure if this behavior is intended, but we don't classify this type of issue as a security vulnerability for the reasons outlined at https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model Removing view restrictions and passing this along to the sync team.
,
Mar 13 2018
,
Mar 16 2018
,
Mar 21 2018
,
Apr 23 2018
Able to reproduce this issue on reported version 65.0.3325.146 & verified on latest canary 68.0.3404.0 using Windows 10,Mac OS , Linux Ubuntu 14.04. Steps: --------- 1. logged in to Chrome as user 1. 2. Logged out from user 1. 3. Logged as user 2. 4.Respond in the affirmative that the previous logged in user was you and initiate sync of their data. 5. Observed that it is not prompt for authentication of user 1's account. 6.Navigated to Manage password in the chrome advanced settings and observed. Considering this issue as Non-regression from M-63 where the Eye icon for viewing is enabled. Thanks!
,
Oct 30
I think the problem is that the passwords (like all other data) are left behind locally when you log out of Chrome and turn off Sync. When logging out, we do offer a checkbox to wipe all local data. I'm not sure what else can be done.
,
Oct 30
The user 1 left all the passwords on the machine that user 2 has access to. User 2 could sync or export the existing passwords. The solution would be to tie the lifetime of the passwords to the "user 1" account.
,
Oct 30
Andrew, can you confirm that you see the dialog mentioned in Comment 8 after your repro step 2 (i.e. after logging out as the first user)?
,
Jan 11
Setting defect without priority to Pri-2. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by andrew.g...@csx.cloud
, Mar 10 201825.0 KB
25.0 KB View Download
59.3 KB
59.3 KB View Download
94.0 KB
94.0 KB View Download
22.5 KB
22.5 KB View Download
38.0 KB
38.0 KB View Download
32.8 KB
32.8 KB View Download
29.7 KB
29.7 KB View Download