New issue
Advanced search Search tips

Issue 825651 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2018
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Passwords leaked without system user password prompt

Reported by florin1c...@gmail.com, Mar 25 2018 
VULNERABILITY DETAILS

If you try to manage or see your passwords stored in Chrome you will be prompted with a toast asking for the Windows User password, which makes sense since you do not want anybody to be able to get all your passwords in bulk.

I recently started to play with the Brave Browser and to my surprise it has a functionality where it can import all your passwords from Chrome. It works well and after executing this password import you have access to absolutely all the passwords stored in chrome, without having to input any passwords in Brave or even have a Brave account. The Brave browser is Open Source with code on Github so I am assuming that it would not be difficult some day for someone to send you a picture with embedded code and execute the Brave browser code in order to get your passwords.

VERSION
Chrome Version: Version 65.0.3325.181 (Official Build) (64-bit)
Operating System: Windows 10 PRO

Comment 1 by florin1c...@gmail.com, Mar 25 2018 

Sorry for submitting the same report 3 times. The portal crashed on me and I might have redone it in order to make sure that it was done properly.

Comment 2 by florin1c...@gmail.com, Mar 25 2018

brave.PNG
151 KB View Download

Comment 3 by florin1c...@gmail.com, Mar 25 2018 

I can also send you a clip with the reproduction steps if you need but the portal does not allow me to attach a 7 minute video file.

Thank you

Comment 4 by cthomp@chromium.org, Mar 26 2018 

 Issue 825652  has been merged into this issue.

Comment 5 by cthomp@chromium.org, Mar 26 2018 

 Issue 825653  has been merged into this issue.

Comment 6 by cthomp@chromium.org, Mar 26 2018

Status: WontFix (was: Unconfirmed)
No worries. I've duped the other reports into this one.

Unfortunately, there is no real way for Chrome to prevent arbitrary code running on the same machine (as the same user) from accessing it. See https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model for more of our reasoning about the threat model in these cases.

For the "image with embedded code", that sounds like it would require a separate exploit against whatever image viewing application was being used. For an executable file being run directly, Chrome can't protect against malicious applications running on your machine (beyond the protections provided by Safe Browsing to help prevent the download of unsafe programs).
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 2

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment