New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 21
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Manage Passwords is set to "Off" but it still autofills credentials

Reported by sdailey....@gmail.com, Mar 15

Issue description

VULNERABILITY DETAILS
I have Manage Passwords toggled "Off" as well as "Auto-login" toggled "Off" and, I also have toggled Autofill settings "Off". YET - Chrome is autofilling usernames and passwords on sites that I visit, unmasking my identity to that site. This 1.) clearly deceives and runs afoul of user expectations, 2.) undermines the user's privacy b/c it gives sites like Facebook a way of knowing who logged out users are even with cookies disabled and other precautions taken by the user. -- In the EU there was an issue with Facebook tracking logged-out users, so this unmasking threat is not hypothetical.

VERSION
Chrome Version: 64.0.3282.186 (Official Build) (64-bit)
Operating System: macOS High Sierra 10.13.3

REPRODUCTION CASE
The vulnerability can be reproduced on a site with a login where the password had been saved in the manager at some point. A good example is with www.reddit.com

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
This does not crash the browser.
 
Screen Shot 2018-03-15 at 4.58.17 PM.png
91.5 KB View Download
Screen Shot 2018-03-15 at 4.58.02 PM.png
32.4 KB View Download
Cc: vabr@chromium.org
Components: UI>Browser>Passwords
Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Owner: vasi...@chromium.org
Status: Assigned (was: Unconfirmed)
+password team to have a look - this is quite a strange one to me.
Thanks for the report.

This has already been spotted in the past (see  bug 707887 ). The summary is that the UI labels are confusing.

The main toggle in chrome://settings/passwords controls saving, not filling of credentials. If Chrome stopped filling credentials, the user would forgot that they have saved them. The only way to stop filling is to delete all of them (easiest to do in chrome://settings/clearBrowserData).

The "Auto sign-in" is only related to sites using the new Credential Manager Javascript API, it does not affect credentials passed through normal HTML forms.

The other autofill setting controlls filling non-password data (I agree that it is not obvious from how the settings are labelled).
Labels: -Restrict-View-SecurityTeam allpublic Security_Impact-Stable
Summary: Manage Passwords is set to "Off" but it still autofills credentials (was: Security: Information Leak -- Manage Passwords is set to "Off" but it still autofills credentials)
 Issue 707887  was already public, so there's no need to keep this one restricted.

Is the plan here to change the labels so they more clearly explain the behavior, or is the plan to change the behavior (say, to prompt the user about clearing their credentials if they turn off the password manager)?
Cc: vasi...@chromium.org
Owner: nepper@chromium.org
Labels: M-67 Security_Severity-Low
Not sure if we should keep this labelled as a security bug, but tentatively triaging it as Low severity.
Thanks for the timely response. Hopefully you guys can resolve this soon,
it's very misleading and been a real problem for quite awhile.

On Fri, Mar 16, 2018 at 7:38 AM, v… via monorail <monorail+v2.3055812653@
chromium.org> wrote:
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 17

Labels: Pri-2
Cc: nepper@chromium.org battre@chromium.org
Owner: maxwalker@chromium.org
Thanks for the report!

Currently, the chrome://settings/passwords view is titled "Manage passwords" and offers a global toggle "ON"/"OFF".

I'd like to revisit this string. Proposal for consideration:

TODAY:
On [toggle]

Auto Sign-in [toggle]
Automatically sign in to websites using stored credentials. If disabled, you will be asked for confirmation every time before signing in to a website.


PROPOSAL:
Offer to save passwords [toggle]
Saved passwords are filled into sign-in forms automatically.

Auto Sign-in [toggle]
Automatically sign in to websites using stored credentials. If disabled, you will be asked for confirmation every time before signing in to a website.

The proposal in #8 sounds like an improvement to me, thanks!

Perhaps if the setting is OFF, we could add tweak the wording and add a link into the clear experience, e.g.

  Previously saved passwords will be filled into sign-in forms automatically. (__Clear Passwords__)


Screenshots for Code Review
Proposed_Mocks.png
123 KB View Download
Implementation.png
71.5 KB View Download
Cc: maxwalker@chromium.org
Labels: -Pri-2 -M-67 M-66 Pri-1
Owner: jdoerrie@chromium.org
Status: Started (was: Assigned)
This UI change LGTM.

elawrence, please note that we settled on a simple change for M66: we will change the title of the toggle (and not add a textual description below). We found that it could it be a new source of confusion. We're planning to fix this setting more generally in M67.

jdoerrie, please go ahead and land. Once landed, please add a reference to your CL in this bug and add a merge-requested label.

Adjusting milestone label as we are planning to fix the string for M66.
Project Member

Comment 12 by bugdroid1@chromium.org, Mar 21

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/52f6eb4221430b6248fd5a59bec53bfef9fdd9a7

commit 52f6eb4221430b6248fd5a59bec53bfef9fdd9a7
Author: jdoerrie <jdoerrie@chromium.org>
Date: Wed Mar 21 10:16:25 2018

[md-settings] Clarify Password Saving and Autofill Toggles

This change clarifies the wording around the password saving and
autofill toggles.

Bug:  822465 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I91b31fe61cd0754239f7908e8c04c7e69b72f670
Reviewed-on: https://chromium-review.googlesource.com/970541
Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org>
Reviewed-by: Vaclav Brozek <vabr@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#544661}
[modify] https://crrev.com/52f6eb4221430b6248fd5a59bec53bfef9fdd9a7/chrome/app/settings_strings.grdp
[modify] https://crrev.com/52f6eb4221430b6248fd5a59bec53bfef9fdd9a7/chrome/browser/resources/settings/passwords_and_forms_page/autofill_section.html
[modify] https://crrev.com/52f6eb4221430b6248fd5a59bec53bfef9fdd9a7/chrome/browser/resources/settings/passwords_and_forms_page/passwords_section.html
[modify] https://crrev.com/52f6eb4221430b6248fd5a59bec53bfef9fdd9a7/chrome/browser/ui/webui/settings/md_settings_localized_strings_provider.cc

Labels: Merge-Request-66
I request merge of r544661 into M66 (branch 3359).
Labels: -Merge-Request-66 Merge-Approved-66
Approving merge for M66. Branch:3359
Project Member

Comment 15 by sheriffbot@chromium.org, Mar 21

Status: Fixed (was: Started)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21

Labels: -merge-approved-66 merge-merged-3359
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9e9a3c010a73f49a0e48da10fea268dc30ecb995

commit 9e9a3c010a73f49a0e48da10fea268dc30ecb995
Author: jdoerrie <jdoerrie@chromium.org>
Date: Wed Mar 21 15:11:05 2018

[md-settings] Clarify Password Saving and Autofill Toggles

This change clarifies the wording around the password saving and
autofill toggles.

Bug:  822465 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I91b31fe61cd0754239f7908e8c04c7e69b72f670
Reviewed-on: https://chromium-review.googlesource.com/970541
Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org>
Reviewed-by: Vaclav Brozek <vabr@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#544661}(cherry picked from commit 52f6eb4221430b6248fd5a59bec53bfef9fdd9a7)
Reviewed-on: https://chromium-review.googlesource.com/973621
Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#360}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/9e9a3c010a73f49a0e48da10fea268dc30ecb995/chrome/app/settings_strings.grdp
[modify] https://crrev.com/9e9a3c010a73f49a0e48da10fea268dc30ecb995/chrome/browser/resources/settings/passwords_and_forms_page/autofill_section.html
[modify] https://crrev.com/9e9a3c010a73f49a0e48da10fea268dc30ecb995/chrome/browser/resources/settings/passwords_and_forms_page/passwords_section.html
[modify] https://crrev.com/9e9a3c010a73f49a0e48da10fea268dc30ecb995/chrome/browser/ui/webui/settings/md_settings_localized_strings_provider.cc

Labels: TE-Verified-M66 TE-Verified-66.0.3359.66
Able to reproduce this issue on 66.0.3359.45, hence verifying the fix on 66.0.3359.66

Now observing "Offer to save passwords" and "Auto-fill forms" text in Manage Autofill and Manage Password sections. Attaching screenshots for reference.

As fix is working as expected adding Verified labels.

Thanks!

Autofill_66.0.3359.66.png
97.0 KB View Download
Manage Passwords_66.0.3359.66.png
124 KB View Download
Thanks everyone!
Labels: reward-topanel
Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to reward for this, as it's a privacy issue: https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Are-privacy-issues-considered-security-bugs-
Labels: Release-0-M66
Labels: CVE-2018-6117
Labels: CVE_description-missing

Sign in to add a comment