New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 822127 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Mar 2018
Cc:
est...@chromium.org
mastiz@chromium.org
tschumann@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security Bypass - Credential exfil

Reported by iamaamer...@gmail.com, Mar 15 2018 
Steps to reproduce the problem:
1. Save password in Chrome (of any site login say fb.com).
2. Login to chrome (google account) and sync passwords.
3. Login to chrome with Google account on other device with admin access.
4. See password in PT.

What is the expected behavior?
Scenario: Some organisation (name withheld) used chrome as their browser. The manager while making a subordinate understand; had to provide his credentials to some website. So he did.

The subordinate person did not have admin privilege on the system and thus couldn't see the PT password.

The subordinate then pressed save password in browser and synced his chrome passwords (after logging in the chrome with his Google credentials).

Then he opened his own device with chrome. And and saw the password in PT after giving local skin credentials.

This vulnerability helped him bypass the password protection to view passwords. 

What went wrong?
Business Logic went wrong. Ask architects to think out of the box (practically; as in this case) to avoid such small issues with such magnified impact.

The credentials dumped were of high importance and this hack was successful thanks to chrome logic.

I was extensively helped by fellow researcher "Younis Amin Bangi" (younisamin.bangi@gmail.com) in finding / replicating the bug.

Did this work before? N/A 

Chrome version: 64  Channel: stable
OS Version: 8.0
Flash Version:

Comment 1 by est...@chromium.org, Mar 15 2018

Components: UI>Browser>Passwords Services>Sync
Labels: Needs-Feedback
Thanks for the report. It doesn't sound like this is a security bug in Chrome but rather an instance of a user syncing a password without understanding that it was being synced, or perhaps a shared-device scenario. Can you clarify what you mean by "PT" and what you would expect Chrome to have done differently in this scenario?

https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model might also be of interest. It explains why Chrome can't protect against attackers with physical control over a device.

Comment 2 by iamaamer...@gmail.com, Mar 15 2018 

PT refers to pain text.

Perspectives of various characters in the story:
Alice be victim and Malice be the attacker. 

Alice entered credentials (and never thought someone could see them), since he though chrome requires admin rights on system.

Malice with limited privileges was able to bypass the submission of admin password (by above mentioned trick).

What you could do differently:
Firstly never submit credentials in local store if the credentials belong to the chrome without Google login.
Secondly do not let anyone save password after 1 minute or after traversing to more than 1 page. Why; because malice can anytime press save password key and save the victims password.
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 15 2018

Cc: est...@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by elawrence@chromium.org, Mar 15 2018

Status: WontFix (was: Unconfirmed)
There are much simpler ways to extract a stored password that don't even require that you sync the passwords to a different system. You can use the Developer Tools or even a trivial snippet of JavaScript, for instance: https://textslashplain.com/2017/10/16/stealing-your-own-password-is-not-a-vulnerability/

The prompt for a system password to unveil the data in the chrome://settings/passwords page is not a security boundary.
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 22 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment