Password could be exposed by accident in http basic authentication dialog
Reported by
rinke.va...@citrus.nl,
Apr 12 2018
|
||||||||||||
Issue descriptionVULNERABILITY DETAILS Presented with a basic authentication dialog, a user wants to left click the password field but accidentally right clicks it (by misuse of trackpad). The context menu immediately shows up suggesting to Look Up "secretpass". In this case one might consider this a physically local accident, instead of an attack. VERSION Chrome Version: Version 66.0.3359.81 (Official Build) beta (64-bit) Operating System: macOS 10.13.3 17D102 REPRODUCTION CASE 1. Trigger a basic auth dialog (e.g. https://www.httpwatch.com/httpgallery/authentication) 2. Let Chrome remember the password. 3. Close Chrome 4. Open Chrome 5. Trigger the same basic auth dialog 6. Right click password field.
,
Apr 12 2018
,
Apr 12 2018
+ellyjones@ Thanks for reporting this. Was able to repro this one on 67 on Mac (did not repro on 65). Agreed with elawrence that it doesn't seem like a security bug since it is local-only, derestricting.
,
Apr 12 2018
Just a quick note. Although not severe, I do think it is security related. I think it should be protected exactly like a normal password input would. If we can agree that "we should probably fix this up" then we might also agree there is some value to this bug report. For what it's worth, I would rate this as 'Information Leak - Baseline'
,
Apr 12 2018
It's absolutely valuable, and thank you again for reporting it! From a triage point-of-view, it simply falls out of scope for the threat model: https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model
,
Apr 12 2018
I do not think it 'simply falls out of scope' because it is not an attack per se. As a Chrome user I trust the software with my secret. I would hope the plaintext version of that secret to be more than one click away. Chrome seems to agree with me on this when dealing with a password field in HTML, and it seems we all agree that this 'feature' I discovered is something to be fixed. Why did I report this issue, and why wouldn't we want to 'Look Up' arbitrary passwords on the internet? To me it is a real security issue and I'm glad to see it fixed. It's a shame a reward should not apply as this is clearly not an physically-local-attack (which obviously cannot/should not always be fixed) but definitely an issue that should (and probably will) be fixed.
,
Apr 13 2018
A distinction that might help clarify the decision here: This is definitely a bug, and we'll figure out a fix for it, but it is not a vulnerability (where a malicious actor could exploit it above and beyond what they could do otherwise with physically-local attacks). I do agree that one potentially escalating factor is that having a user accidentally leak their password to a third party service via the "Look up" function is bad. I think P-2 seems reasonable for this, meaning we should target having this fixed for M68. If the fix is reasonably simple, we might even try to get this merged back into M67.
,
Apr 16 2018
spqchan: we should remove the "Look up" item from password fields probably (and maybe some other options too).
,
Apr 16 2018
@cthomp: thanks for the clarification, it helps.
,
Apr 16 2018
,
Apr 16 2018
The fix for this is simple, let's merge it to M67 once it's landed. Note: the code to retrieve text from a Views textfield is error prone. I'm going to submit a follow up CL after the fix so this won't happen again
,
Apr 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/81671321cacaabd83b1e8d6effd21ea3132ef35e commit 81671321cacaabd83b1e8d6effd21ea3132ef35e Author: spqchan <spqchan@chromium.org> Date: Thu Apr 19 22:55:07 2018 [MacViews] Fix Password Reveal in Views Textfield Don't show the "Look Up" menu item in the textfield context menu if the textfield is a password field. Testing: views_unittests TextfieldTest.LookUpPassword. Bug: 832103 Change-Id: I1fd526b0e51b19ae6f118da1d628958f26da380b Reviewed-on: https://chromium-review.googlesource.com/1013782 Reviewed-by: Michael Wasserman <msw@chromium.org> Commit-Queue: Sarah Chan <spqchan@chromium.org> Cr-Commit-Position: refs/heads/master@{#552194} [modify] https://crrev.com/81671321cacaabd83b1e8d6effd21ea3132ef35e/ui/views/controls/textfield/textfield.h [modify] https://crrev.com/81671321cacaabd83b1e8d6effd21ea3132ef35e/ui/views/controls/textfield/textfield_unittest.cc [modify] https://crrev.com/81671321cacaabd83b1e8d6effd21ea3132ef35e/ui/views/controls/views_text_services_context_menu_mac.mm
,
Apr 19 2018
,
Apr 20 2018
Your change meets the bar and is auto-approved for M67. Please go ahead and merge the CL to branch 3396 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 20 2018
msw@, would it be possible for you to do the merge to M67 branch 3396 as spqchan@ is OOO until April 30th?
,
Apr 20 2018
+msw@ (CL reviewer), PTAL comment #15. Thank you.
,
Apr 21 2018
Merged to M67 in https://chromium-review.googlesource.com/c/chromium/src/+/1023190 Please help verify the fix on the next build, thanks.
,
Apr 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bead3ed8ff25c2fa78539e410a04bffbe7869b96 commit bead3ed8ff25c2fa78539e410a04bffbe7869b96 Author: spqchan <spqchan@chromium.org> Date: Sat Apr 21 00:05:06 2018 [MacViews] Fix Password Reveal in Views Textfield Don't show the "Look Up" menu item in the textfield context menu if the textfield is a password field. Testing: views_unittests TextfieldTest.LookUpPassword. Bug: 832103 Change-Id: I1fd526b0e51b19ae6f118da1d628958f26da380b Reviewed-on: https://chromium-review.googlesource.com/1013782 Reviewed-by: Michael Wasserman <msw@chromium.org> Commit-Queue: Sarah Chan <spqchan@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#552194}(cherry picked from commit 81671321cacaabd83b1e8d6effd21ea3132ef35e) Reviewed-on: https://chromium-review.googlesource.com/1023190 Cr-Commit-Position: refs/branch-heads/3396@{#189} Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428} [modify] https://crrev.com/bead3ed8ff25c2fa78539e410a04bffbe7869b96/ui/views/controls/textfield/textfield.h [modify] https://crrev.com/bead3ed8ff25c2fa78539e410a04bffbe7869b96/ui/views/controls/textfield/textfield_unittest.cc [modify] https://crrev.com/bead3ed8ff25c2fa78539e410a04bffbe7869b96/ui/views/controls/views_text_services_context_menu_mac.mm
,
May 4 2018
Able to reproduce this issue on build without fix hence verifying on latest canary 68.0.3419.0 and latest M67 - 67.0.3396.33 using Mac 10.12.6. Now Look Up field is not seen on context menu, after saving password. Attaching screenshots for reference. As fix is working as intended adding TE-Verified labels. Thanks! |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by elawrence@chromium.org
, Apr 12 2018