VULNERABILITY DETAILS
If I want to see my password saved in the Chrome's manage passwords setting, I need to know the root authentication of the computer, like this one.
 
But I found a way to see my password and not need the root authentication.
Step 1: I login my AWS service, The chrome will fill the username and password automatically. Here the password is still shown as ********
 
Step 2: Open the Secret Server in the AWS and store a new secret. The username and password will fill in as the credentials for RDS database. I can also select the username and password from the saved password. 
 

Step 3: I clicked the show password checkbox, then I can see my password. There is no requirement to login by the root authentication of the computer
 
So, I think this is a security bug in the Chrome’s save password function, it should be request a root authentication if I click the show password.

Step 4: I logout the AWS, and use the federation login to the Amazon, and I repeat the Step 2 and Step 3, I can also select the item saved in the chrome save passwords component. And I also can see the password not to login by the root authentication of the computer.
 

The whole team shares the team account, so if another people in the team to use my computer, he will get my password for my personal account. So, I think this is a critical security issue and need to confirm it.

VERSION
Chrome Version: 65.0.3325.181 (Official Build) (64-bit)
Operating System: Windows 7 Enterprise, Service Pack 1
 
 
REPRODUCTION CASE
See the VULNERABILITY DETAILS

Please contact with me by the mailbox: mendick2000@163.com
 

Deleted: Google Chrome VULNERABILITY DETAILS.docx 437 KB

Google Chrome VULNERABILITY DETAILS.docx 437 KB Download