New issue
Advanced search Search tips

Issue 822181 link

Starred by 3 users
Status: Fixed
Owner:
qnnguyen@chromium.org
Closed: May 2018
Cc:
r...@chromium.org
jdufault@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: ----
Type: Feature


Participants' hotlists:
LoginRefresh


Sign in to add a comment

Security: closing lid of chromebook does not remove password from text box

Reported by dug.arma...@gmail.com, Mar 15 2018 
VULNERABILITY DETAILS

My expectation is that when the lid is closed that the computer is secure.

The normal behaviour when logged in is:

* lid closed
* lid open
* password required

Then

* keying in the password but 
* do NOT hit `enter`
* close the lid
* open the lid
* password is still there
* pressing enter will log onto the computer

VERSION
Chrome Version: 64.0.3282.190 (Official Build) (64bit)

Comment 1 by elawrence@chromium.org, Mar 15 2018

Components: UI>Shell>StartScreen
Labels: OS-Chrome

Comment 2 by allenwebb@chromium.org, Mar 15 2018

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Security_Severity-Low Type-Feature
Owner: jdufault@chromium.org
jdufault@ Feel free to reassign this if you know someone who is better suited to fix this. I am not sure how hard it would be for you to clear or refresh the lock screen when the lid closes, but it seems like this should be a relatively small change.

I made the bug public because it doesn't make sense to keep it private until it is fixed since people knowing about the issue will improve things until it is fixed.

Comment 3 by jdufault@chromium.org, Mar 15 2018

Cc: r...@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 4 by elawrence@chromium.org, Mar 15 2018 

By way of comparison:

 Mac OS 10.13.3: Clears the password box
 Windows 10 1803.17107: Does not clear the password box. The user can even click the "Reveal password" button to reveal the plaintext password.

Comment 5 by jdufault@chromium.org, Mar 15 2018 

Thanks for the comparison. This was an unintentional regression so the plan is to fix and restore the previous behavior.

Comment 6 by allenwebb@chromium.org, Apr 26 2018 

 Issue 836903  has been merged into this issue.

Comment 7 by jdufault@chromium.org, May 17 2018

Cc: jdufault@chromium.org
Owner: qnnguyen@chromium.org
Project Member

Comment 8 by bugdroid1@chromium.org, May 25 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ed0528eacd04a4801ebd698c05bf8465d417cbc4

commit ed0528eacd04a4801ebd698c05bf8465d417cbc4
Author: Quan Nguyen <qnnguyen@chromium.org>
Date: Fri May 25 23:52:07 2018

Clear lock screen password box on suspend

Bug:  822181 
Change-Id: I444239fac475d2e86785823976efcf6ba9d94579
Reviewed-on: https://chromium-review.googlesource.com/1069737
Commit-Queue: Quan Nguyen <qnnguyen@chromium.org>
Reviewed-by: Jacob Dufault <jdufault@chromium.org>
Cr-Commit-Position: refs/heads/master@{#562066}
[modify] https://crrev.com/ed0528eacd04a4801ebd698c05bf8465d417cbc4/ash/login/ui/lock_contents_view.cc
[modify] https://crrev.com/ed0528eacd04a4801ebd698c05bf8465d417cbc4/ash/login/ui/lock_contents_view.h
[modify] https://crrev.com/ed0528eacd04a4801ebd698c05bf8465d417cbc4/ash/login/ui/lock_contents_view_unittest.cc

Comment 9 by qnnguyen@chromium.org, May 25 2018

Status: Fixed (was: Assigned)

Sign in to add a comment