New issue
Advanced search Search tips

Issue 844405 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: May 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug



Sign in to add a comment

Passwords revealed if there is no Windows password set

Reported by dimka-ch...@mail.ru, May 18 2018 
Good afternoon. I discovered a vulnerability associated with user passwords to saved sites and passwords in the Google browser. In the Windows operating system without a password for the user account.

If your Windows does not have a password, you can steal personal information for all saved passwords. This problem should be solved by re-entering the password for the google account in the chrome: // settings / passwords? Search = password section.
Also for passwords for your Google account. This is the password for the account.
Thus, this problem will be solved.
In the event that the device is in some way temporarily removed for the purpose of identity theft, you can access the service to which the user's credit card is linked and steal money or other data theft.

language for communication russian
mobile phone +375447470041

Comment 1 by elawrence@chromium.org, May 18 2018

Components: UI>Browser>Passwords
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Windows Type-Bug
Summary: Passwords revealed if there is no Windows password set (was: Security: )
This is not a security bug, as it requires physical access. https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#What-about-unmasking-of-passwords-with-the-developer-tools

Having said that, I thought our design here was to use this flow as an opportunity to encourage the user to set a Windows password?

Comment 2 by dimka-ch...@mail.ru, May 18 2018

IMG_20180518_155933.jpg
2.0 MB View Download

Comment 3 by dimka-ch...@mail.ru, May 18 2018 


it is necessary to remove the windows password and put the password discovery on the password from Google

Comment 4 by dimka-ch...@mail.ru, May 18 2018 

this is a bug of the logical security scheme

Comment 5 by dimka-ch...@mail.ru, May 18 2018 


the scheme of theft will look like this: sending a link to the user's mail, downloading the user of malicious software. Notification of the hacker about the inactivity of the PC and the availability of the connection. Attacking and stealing passwords.

Comment 6 by elawrence@chromium.org, May 18 2018 

After the user's PC is compromised by malware, it's no longer the user's computer anymore. Law #1: https://blogs.technet.microsoft.com/rhalbheer/2011/06/16/ten-immutable-laws-of-security-version-2-0/

The only question here is whether Chrome is supposed to be guiding the user here.

Comment 7 by dimka-ch...@mail.ru, May 18 2018 


thanks for the great opportunity to steal data! Google is human :)

Comment 8 by vasi...@chromium.org, May 22 2018

Status: WontFix (was: Unconfirmed)
We discussed it back then when the feature was implemented. There are some problems with using Google passwords:
- user doesn't have to have a Google account to use Chrome.
- What to do offline.

The reauth feature was never meant to prevent the "malware running" use case. It's rather a soft lock stopping a non-tech savvy relatives.

There is an idea to introduce a master password. For now it's just one idea out of many with unclear future.

Comment 9 Deleted

Comment 10 by dimka-ch...@mail.ru, May 22 2018 


No Google account, no auto save passwords. The solution of the problem is exactly this. If users do not have an account, this confirms that they do not need to save passwords

Sign in to add a comment