Security: Deleting a password from chrome password manager does not work.
Reported by
adhar.re...@gmail.com,
May 10 2018
|
||||||||
Issue descriptionVULNERABILITY DETAILS If I try to delete the password a particular site, it doesn't get deleted. VERSION Chrome Version: [66.0.3359.139] + [stable] Operating System: [Windows 10, Version 1709, Build 16299.371] REPRODUCTION CASE I tried with a couple websites but this was only happening with humblebundle.com. I had a saved password for humblebundle.com which was obsolete but every time I entered the new password in the website's login page, chrome replaced it with old one. I couldn't login (that's another issue). So, I deleted the login information for this site from chrome and reloaded the page but the same thing happened. I checked in password manager but the saved entry was still there. For other websites, this was working correctly. Note that the entry reappears only when I reload the humblebundle.com page and not before that. I tried to delete this in passwords.google.com but it did not work there as well. Also, I haven't tried this on other systems so I can not be sure if it happens everywhere I tried to delete the entry and restarted chrome with chrome://restart also. I have attached a video of this. (In the video I clicked the key button at around 00:07 in the address bar and deleted the entry but for some reason, it wasn't captured in the video)
,
May 11 2018
Looks like it. Maybe it'll get fixed in later versions. I am seeing 821763 was reported in version 67. I am using chrome stable v66.
,
May 11 2018
I guess that "can't delete the credential" part is the Issue 821763 indeed. The trick is to close the tab before you delete the credential as a workaround. But "couldn't login" is unexpected. Did you create a second issue for it? In any case if you open chrome://password-manager-internals/ before logging in, that log can be useful for us.
,
May 16 2018
Marking this issue as low-severity out of caution, but I don't really think there are any security implications of this bug. vasilii@ Can you take ownership of this issue?
,
May 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/47d67ced179788afbbf6e1cd106194b5ba67c8ae commit 47d67ced179788afbbf6e1cd106194b5ba67c8ae Author: Vasilii Sukhanov <vasilii@chromium.org> Date: Thu May 17 15:14:22 2018 Update PasswordManager when a relevant credential is removed by the user. Before this CL this behavior is possible: - a credential is autofilled. - user removes the credential via settings or "Manage passwords" bubble. - user clicks "Login" or reloads the page. In other words makes an action that we consider a successful form submission. - password manager updates the credential in the store by reviving it. After this CL the password manager is informed as soon as the password is removed. Thus, the copy of the credential in the memory should go away. Bug: 821763 , 841853 Change-Id: If6c371312a9ed55217f5998989dd0457296a538a Reviewed-on: https://chromium-review.googlesource.com/1064118 Reviewed-by: Vadym Doroshenko <dvadym@chromium.org> Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org> Cr-Commit-Position: refs/heads/master@{#559539} [modify] https://crrev.com/47d67ced179788afbbf6e1cd106194b5ba67c8ae/chrome/browser/password_manager/password_manager_browsertest.cc [modify] https://crrev.com/47d67ced179788afbbf6e1cd106194b5ba67c8ae/chrome/browser/ui/passwords/manage_passwords_state.cc [modify] https://crrev.com/47d67ced179788afbbf6e1cd106194b5ba67c8ae/chrome/browser/ui/passwords/manage_passwords_state.h
,
May 17 2018
,
May 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3a59c3eb8a2b87cfda23a6642de915c99bd3905f commit 3a59c3eb8a2b87cfda23a6642de915c99bd3905f Author: Chong Zhang <chongz@chromium.org> Date: Thu May 17 17:28:17 2018 Revert "Update PasswordManager when a relevant credential is removed by the user." This reverts commit 47d67ced179788afbbf6e1cd106194b5ba67c8ae. Reason for revert: Seems to cause flakiness on interactive_ui_tests http://chromium-try-flakes.appspot.com/search?q=PasswordGenerationInteractiveTest.PopupShownAndPasswordSelected Original change's description: > Update PasswordManager when a relevant credential is removed by the user. > > Before this CL this behavior is possible: > - a credential is autofilled. > - user removes the credential via settings or "Manage passwords" bubble. > - user clicks "Login" or reloads the page. In other words makes an action that we consider a successful form submission. > - password manager updates the credential in the store by reviving it. > > After this CL the password manager is informed as soon as the password is removed. Thus, the copy of the credential in the memory should go away. > > Bug: 821763 , 841853 > Change-Id: If6c371312a9ed55217f5998989dd0457296a538a > Reviewed-on: https://chromium-review.googlesource.com/1064118 > Reviewed-by: Vadym Doroshenko <dvadym@chromium.org> > Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org> > Cr-Commit-Position: refs/heads/master@{#559539} TBR=vasilii@chromium.org,dvadym@chromium.org Change-Id: Ifbd0b85fd68399e01b58a8faaad29f677fb7ffe6 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 821763 , 841853 , 844077 Reviewed-on: https://chromium-review.googlesource.com/1064473 Reviewed-by: Chong Zhang <chongz@chromium.org> Commit-Queue: Chong Zhang <chongz@chromium.org> Cr-Commit-Position: refs/heads/master@{#559590} [modify] https://crrev.com/3a59c3eb8a2b87cfda23a6642de915c99bd3905f/chrome/browser/password_manager/password_manager_browsertest.cc [modify] https://crrev.com/3a59c3eb8a2b87cfda23a6642de915c99bd3905f/chrome/browser/ui/passwords/manage_passwords_state.cc [modify] https://crrev.com/3a59c3eb8a2b87cfda23a6642de915c99bd3905f/chrome/browser/ui/passwords/manage_passwords_state.h
,
May 18 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1fd384b65ca67a73e6766d754ca9b115d57d3686 commit 1fd384b65ca67a73e6766d754ca9b115d57d3686 Author: Vasilii Sukhanov <vasilii@chromium.org> Date: Fri May 18 13:23:29 2018 Reland: Update PasswordManager when a relevant credential is removed by the user. Before this CL this behavior is possible: - a credential is autofilled. - user removes the credential via settings or "Manage passwords" bubble. - user clicks "Login" or reloads the page. In other words makes an action that we consider a successful form submission. - password manager updates the credential in the store by reviving it. After this CL the password manager is informed as soon as the password is removed. Thus, the copy of the credential in the memory should go away. This is a reland of https://chromium-review.googlesource.com/c/chromium/src/+/1064118 The reason for original failure was a refetch on adding a credential: - A password was generated and added to the store. - Refetch was triggered. - The generated password was autofilled everywhere including the original field. - The password manager wasn't in the generation mode anymore. Bug: 821763 , 841853 Change-Id: Ia0f24ccdf8d53dd0c3c740e9672c291322a5fd63 Reviewed-on: https://chromium-review.googlesource.com/1065971 Reviewed-by: Vadym Doroshenko <dvadym@chromium.org> Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org> Cr-Commit-Position: refs/heads/master@{#559875} [modify] https://crrev.com/1fd384b65ca67a73e6766d754ca9b115d57d3686/chrome/browser/password_manager/password_manager_browsertest.cc [modify] https://crrev.com/1fd384b65ca67a73e6766d754ca9b115d57d3686/chrome/browser/ui/passwords/manage_passwords_state.cc [modify] https://crrev.com/1fd384b65ca67a73e6766d754ca9b115d57d3686/chrome/browser/ui/passwords/manage_passwords_state.h
,
May 18 2018
,
May 21 2018
,
Jun 4 2018
I'm afraid the Chrome VRP panel looked at this and decided not to track it as as security bug.
,
Aug 24
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by rsesek@chromium.org
, May 10 2018Components: UI>Browser>Passwords