New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 826594 link

Starred by 2 users
Status: Duplicate
Merged: issue 792878
Owner: ----
Closed: Mar 2018
Cc:
mastiz@chromium.org
tschumann@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Friend's login & password saved after Chrome sign-in

Reported by rcau...@gmail.com, Mar 28 2018 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

When logging into Chrome browser on a 3rd party computer (friend or public), saved login / password combinations are transferred to my personal Google account and can be accessed in plain text. 

This allows me login to other user's accounts on 3rd party websites where they have saved passwords. 

As an example, I recently logged into Chrome on a friend's laptop to check email and do some banking. When I finished the session, I logged out of Chrome. 

Now, when I visit passwords.google.com, I see username & password details for many users from that computer (see screenshot hellomattswitzer@gmail.com, cherylswitzer1@gmail.com, etc)

VERSION
Chrome Version: 
Version 65.0.3325.181 (Official Build) (64-bit)
Operating System: Any OS

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

On a public computer, I could sign into Chrome using a throwaway Gmail account. 

I could then visit passwords.google.com, enter my Google Account Password, and view all saved usernames & passwords from that computer. Note: this would NOT require me to re-enter their account password (as is the case when visiting passwords.google.com for your own account). 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers,
exception record]
Client ID (if relevant): [see link above]
Screenshot (2).png
137 KB View Download

Comment 1 by elawrence@chromium.org, Mar 28 2018

Components: Services>Sync
Mergedinto: 792878
Status: Duplicate (was: Unconfirmed)
This is working as expected. 

Yes, if you sign in to Chrome, you're presented with a dialog that indicates that this operation will sync your passwords across devices (1) (2). It further notes that if you're doing this on someone else's computer, you should use Guest Mode instead.

There's a writeup of this here: https://medium.com/secjuice/anyone-can-steal-all-of-chrome-saved-passwords-form-fields-bookmarks-history-ab2da3b4853e
SyncBehavior.png
54.1 KB View Download
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 5

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment