New issue
Advanced search Search tips

Issue 830273 link

Starred by 2 users
Status: Duplicate
Merged: issue 126398
Owner: ----
Closed: Apr 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Easily and quickly view any saved passwords from any website forms.

Reported by alb...@3ra.ca, Apr 8 2018 
VULNERABILITY DETAILS
Saved password on forms on ANY website are saved "encrypted" as ******. But by simply opening developer tools and changing that form input field from password to text then the password is clearly displayed on the website.
 
We have disallowed anyone on our business to save passwords on computers via chrome, or use any password manager (such as lastpass) because of the security risks this impose if a computer is left logged in.

VERSION
Chrome Version: All versions of chrome
Operating System: All operating systems.

REPRODUCTION CASE
Open any website that has a password saved (facebook.com, google.com, etc...). 

If the login is saved in the browser, the password and login field will be pre-filed. Password will show as *****

Right click  on password input field and select inspect.

On the password input field form, change type from "password" to "text".

Now you can see the password displayed on the webpage.

I believe chrome show clear password data from the form input field, every time this change is made to protect user privacy.  We see this as a major security risk on computers that have saved passwords because anyone without ANY technical skills can use this "exploit" to view saved passwords.

Comment 1 by elawrence@chromium.org, Apr 9 2018

Components: UI>Browser>Passwords
Mergedinto: 126398
Status: Duplicate (was: Unconfirmed)
> because of the security risks this impose if a computer is left logged in.

It's never safe to leave a computer unlocked, regardless of browser behavior, for the reasons explored in https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model.

Comment 2 by alb...@3ra.ca, Apr 9 2018 

"We consider these attacks outside Chrome's threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your computer as you"

Well, in this case, chrome can prevent this from happening. Users are not aware that the passwords that are shown as ***** are actually very easily accessible.

Comment 3 by elawrence@chromium.org, Apr 9 2018 

>chrome can prevent this from happening.

When you say "can prevent this", what exactly do you mean? Even without using Developer Tools, there are myriad other approaches to steal the same data available to an attacker with complete access to your computer.

Comment 4 by elawrence@chromium.org, Apr 9 2018 

For instance, simply type

  javascript:alert(document.querySelector("input[type='password']").value)

in the omnibox and hit Enter. There are MANY similar approaches available.
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 16

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment