New issue
Advanced search Search tips

Issue 821958 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2018
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: ability to manually remove password requirement from the screen lock setting

Reported by jahof...@edu.sollentuna.se, Mar 14 2018 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

VULNERABILITY DETAILS
The problem is that you can skip the need of entering the password at the "Screen Lock" setting at chrome://settings. 

VERSION
Chrome Version: 64.0.3282.190 stable 64-bit
Operating System: Chrome OS 10176.76.0 (Official Build) stable-channel swanky

REPRODUCTION CASE
Go to chrome://settings, click "Screen Lock", then open the Developer Tools, select the <dialog> element and deleting it. Now you can freely change these settings.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

Comment 1 by est...@chromium.org, Mar 14 2018

Labels: -Restrict-View-SecurityTeam Security_Impact-None
Status: WontFix (was: Unconfirmed)
Thanks for the report! We don't consider this a security bug in Chrome, please see https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model and https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#what-about-unmasking-of-passwords-with-the-developer-tools for details about why.

Sign in to add a comment