New issue
Advanced search Search tips

Issue 844289 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: May 2018
Cc:
cfroussios@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Credentials located in gnome-keyring can be compromised

Reported by sungju...@gmail.com, May 18 2018 
1. VULNERABILITY DETAILS
  We figure out that login credentials, located in gnome-keyring, can be easily compromised. Google Chrome has a built-in ability to store login credentials, such as target URL, user account ID, and its password. Linux/Ubuntu basically uses ‘gnome-keyring’ as their backend to store login credentials in a secure manner. To use this, we should first unlock ‘gnome-keyring’ for viewing or using. When a user try to OS login to open a session, authentication is also performed together with ‘gnome-keyring’ as part of ‘pam-gnome-keyring.so’. At this point, it remains unlocked until system is shut down. 
  In this state, a simple program that uses ‘Secret Service API’ call and their ‘D-Bus’ interface can easily retrieve login credentials from those gnome-keyring without privilege escalation on Linux (please check the attached file and video below). We also examine login credentials as a form of plaintext, stored in gnome-keyring, without authentication through ‘chrome://settings/passwords’ page. On the other hands, Windows/Mac require authentication to access login credential as a form of User Account Control (UAC); they may use other keyring solution.
  Once a malware that equipped with above mentioned functions invades a user environment, it might be vulnerable to hackers who can access user PC to steal login credentials for Gmail, Facebook, Twitter, etc. Additionally, when synchronization is enabled, it leads to information disclosure threats and may aid in further attacks due to synchronized user credentials. 

2. VERSION
Chrome Version: Version 66.0.3359.181 (Official Build) (64-bit)
Operating System: Ubuntu 18.04 LTS (bionic)

3. REPRODUCTION CASE
(1) Visit a Web site in your Chrome browser, then try to login and confirm when the Chrome ask you to save login credential. (If you already have confirmed, just skip this step)
(2) Build and run the attached simple PoC.
(3) Finally, you can see all saved login credentials.


4. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
linux_poc.mp4
8.9 MB View Download
linux_windows_sync_poc.mp4
16.6 MB Download
crack.c
1.7 KB View Download

Comment 1 by elawrence@chromium.org, May 18 2018

Components: UI>Browser>Passwords
Labels: OS-Linux
Stealing passwords after having compromised the machine with malware does not reflect a security vulnerability. 

https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What-about-unmasking-of-passwords-with-the-developer-tools

Comment 2 by elawrence@chromium.org, May 18 2018

Cc: cfroussios@chromium.org
Summary: Security: Credentials located in gnome-keyring can be compromised (was: Security: We figure out that login credentials, located in gnome-keyring, can be easily compromised.)
This appears to be the Linux version of  Issue 678171 , where it's noted that after a PC is compromised, data on the PC can be stolen.

> We also examine login credentials as a form of plaintext, stored in 
> gnome-keyring, without authentication through ‘chrome://settings/passwords’ 
> page. Windows/Mac require authentication to access login credential as a 
> form of User Account Control (UAC);

This is Working-as-Intended. The password prompt on Mac/Windows is deliberately not on Linux/CrOS and it is not a security feature (trivially circumvented as mentioned in #1).

Comment 3 by metzman@chromium.org, May 18 2018

Status: WontFix (was: Unconfirmed)
Marking this as WontFix since there is no way for Chrome to defend against this. Quoting from https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

"...We consider these attacks outside Chrome's threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your computer as you..."

Comment 4 by sungju...@gmail.com, May 19 2018 

Thank you for response.

Our proposed method might be one of the physical local attacks.
In this case, however, this happened because third-party component, i.e., gnome-keyring, is useful tool but can cause errors if used incorrectly.
The principal reason for using the tool is to help to protect users’ login credentials in encrypted form. (I guess Chrome’s developers just tried to employ this tool instead of managing a series of keys for encryption.) 
Unfortunately, it is meaningless since gnome-keyring is opened when a user try to OS login to open a session. From this point, gnome-keyring is to be open-wallet in an easily accessible data.
If users know this problem, they will no longer save login credentials.

To deal with it, we may want to make a product decision to drop gnome-keyring integration entirely and additional measures for key and authentication management, such as using polkit, will be necessary as OSX’s Chrome did.
If Chrome does, this problem might be mitigated.

Comment 5 by elawrence@chromium.org, May 23 2018

Labels: -Restrict-View-SecurityTeam allpublic

Sign in to add a comment