New issue
Advanced search Search tips

Issue 847327 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: May 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Chrome shows saved passwords after user provides system password

Reported by icaromor...@gmail.com, May 29 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36

Steps to reproduce the problem:
VERSION
Chrome Version: [66.0.3359.181] [stable]
Operating System: [Windows 10 Home Single Language, version 1803]

1. 
Open Google Chrome and sign in with a Google account in your browser
2. Go to Settings> Advanced> Passwords and Forms> Manage Passwords. In "Saved Passwords" Click on the password of the site you want to view
3. When prompted for a password, enter the local administrator user's machine password

What is the expected behavior?
The expected behavior is that the Google Chrome browser will only display the web passwords saved in your password bank, after requesting the validation of the login and password of the user who owns the session that is logged in the browser and do not use as validation the user login and password local machine administrator

What went wrong?
In the "Passwords and forms" option, in the advanced settings of Google Chrome, there is a security hole in the bank of saved web passwords of users who log in to the browser with a Google account.
When you click to display one of the web passwords saved in the browser, the user is prompted for the local machine administrator password. By typing the password correctly, then the saved web passwords are displayed and that is where the security failure occurs. Example: Someone uses someone else's computer and signs in with a Google account in the Google Chrome browser installed on this computer. If this user has finished using the computer and does not log off the account in the browser, the computer owner can, with the password of the local administrator of the computer, display the web passwords saved in the user account that used the computer because the browser Google Chrome prompts you to validate the machine's local administrator password to display the web passwords saved in the browser passwords instead of asking for the account owner's Google account password.

Did this work before? N/A 

Chrome version: 66.0.3359.181  Channel: stable
OS Version: 10.0
Flash Version: 28
 
Components: UI>Browser>Passwords
Status: WontFix (was: Unconfirmed)
Summary: Chrome shows saved passwords after user provides system password (was: Security issue with Chrome saved passwords)
This is working as intended. There are simpler ways for a local attacker to steal locally stored passwords that don't require any sort of authentication at all (see e.g. https://textslashplain.com/2017/10/16/stealing-your-own-password-is-not-a-vulnerability/) and not all platforms request any form of authentication (only Windows and Mac, not Linux or CrOS).

Please see https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model

The security failure in your scenario occurs at this point: "Someone uses someone else's computer"-- it's NEVER safe to enter any data on a system you do not trust and control, regardless of which OS or browser is being used.
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 4

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment