New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 848625 link

Starred by 2 users
Status: Duplicate
Merged: issue 777142
Owner:
vabr@chromium.org
hobby only
Closed: Jun 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome remembers credentials even after deleting them and refreshing the page

Reported by brouns.w...@gmail.com, Jun 1 2018 
VULNERABILITY DETAILS
Applicable to logging in to personal banking. Successfully fooled a colleague, demonstrating his credentials were deleted, after which I could refresh the page and retrieve his credentials. This bug is almost too straightforward to reproduce, implying this behavior may be by design (?). Yet this is also hard to conceive, given I do not understand how a) the credentials are still maintained in memory somehow even though I remove it and Chrome confirms it is removed and b) why Chrome automatically re-adds it to the Passwords list without asking for approval to store the credentials.

VERSION
Chrome Version: Version 67.0.3396.62 (Official Build) (64-bit)
Operating System: Windows 10, winver 1709
Extensions: ABP only
No additional passwords managers are used on this system.
Only 1 instance of Chrome is open with 2 tabs
I have not created any custom client code or a spoof version of the banking website.
Tested in a regular Chrome instance (not incognito)

REPRODUCTION CASE
I will demonstrate the bug by means of a video at the following Google Photos URL: https://photos.app.goo.gl/mzjLkOqDtfClE1ht2 . Please note this video is only shared in this submission form, and not shared anywhere else at the moment. Also because of the rules of the vulnerability reward program.

1. In the video, I will thereby start with the scenario I presented to a co-worker, who's credentials I had just presumably 'removed'.
2. I press the key at the addressbar end, showing no passwords are saved.
3. I demonstrate that the password is not in the Manage Passwords list
4. I then refresh the page, or I re-enter the URL in the addressbar
5. The credentials are auto-filled, even though steps 2 and 3 demonstrated they did not exist.
6. I can log into the banking account
7. The credentials are automatically added back into the the Manage Passwords list, without any popup or user-confirmation to allow storing these credentials again.

SCENARIOS IN WHICH IT DOES NOT OCCUR
If you close the tab and open a new tab to navigate to the website, it does not occur. However, this has to be done before Chrome has 'the chance' to auto-fill the username and password fields into the existing, unclosed tab. Because as soon as it can, I will add the credentials back into the Manage Passwords.

Happy to hear from you,
Brouns

Comment 1 by elawrence@chromium.org, Jun 1 2018

Components: UI>Browser>Passwords
This is likely duplicate of  Issue 777142 , although there are comments in other issues in the Password Manager node that indicate that at least some Chromium Developers expect that Refreshing the tab would detach its credentials.

Comment 2 by mea...@chromium.org, Jun 1 2018

Owner: vabr@chromium.org
Status: Assigned (was: Unconfirmed)
vabr: Can you please confirm this is the same as  bug  777142 ?

Comment 3 by vabr@chromium.org, Jun 5 2018

Mergedinto: 777142
Status: Duplicate (was: Assigned)
Thanks for the report, and also thanks for finding the old  bug 777142 .
It does indeed appear to me as the same issue, although the reporter here does not specify what steps lead to saving and then deleting the credentials.
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 11

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment