New issue
Advanced search Search tips

Issue 853173 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Saved passwords are shared among all profiles on the same Linux account.

Reported by dunpea...@gmail.com, Jun 15 2018

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36

Steps to reproduce the problem:
1. Launch Chrome with a new profile A using --user-data-dir pointing to any empty directory.
2. Save a few passwords on profile A.
3. Launch Chrome with a new profile B using the same method above.
4. Check the local password storage of profile B.

What is the expected behavior?
Passwords saved on profile A should not be shared with profile B.

What went wrong?
All passwords saved on profile A are shared with profile B.

Did this work before? No 

Chrome version: 67.0.3396.62  Channel: stable
OS Version: Ubuntu 18.04 LTS
Flash Version: 

This problem becomes far more severe when using Chrome Sync, because then all passwords used under the same Linux account get uploaded to all profiles used under that account, and then propagated virally onto any profile used on any other Linux machine where even one of the profiles from the original machine was used.
 

Comment 1 by wfh@chromium.org, Jun 15 2018

Cc: vabr@chromium.org kolos@chromium.org dvadym@chromium.org
Components: UI>Browser>Passwords
Owner: vasi...@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for your report.

is there a reason why you are using --user-data-dir rather than Chrome profiles (chrome://settings/people)?

Comment 2 by dunpea...@gmail.com, Jun 15 2018

I wrote a command-line script that manages (creates, destroys) profiles and launches Chrome with particular profiles. I'm not aware of a way to do that via the GUI that is quite as easy and smooth (i.e. call `chrome-wrapper foo-prof` and have it launch an instance with its own history, preferences, and potentially corresponding Google profile).

Comment 3 by wfh@chromium.org, Jun 15 2018

Cc: vasi...@chromium.org
Owner: ----
Status: Unconfirmed (was: Assigned)
I could not reproduce this on 67.0.3396.87 on Linux.

by "local password storage of profile B" do you mean visit chrome://settings/passwords - or actually query the OS storage manually?

Comment 4 by dunpea...@gmail.com, Jun 15 2018

The passwords are visible on profile B at chrome://settings/passwords

This has been a persistent issue on multiple Xubuntu installations since at least 16.04 LTS, and still affect the latest 18.04.

Comment 5 by wfh@chromium.org, Jun 15 2018

hmm maybe it's using a different os_crypt password backend from me. Can you check histogram "PasswordManager.LinuxBackendStatistics" in chrome://histograms

Can you also try with Dev channel...?

Comment 6 by dunpea...@gmail.com, Jun 15 2018

This is the output for the histogram. I'll be happy to try Dev channel, how do I do that on Ubuntu?

Histogram: PasswordManager.LinuxBackendStatistics recorded 1 samples, mean = 10.0 (flags = 0x41)
0   ... 
10  ------------------------------------------------------------------------O (1 = 100.0%) {0.0%}
11  ... 

Comment 7 by wfh@chromium.org, Jun 15 2018

hmm I am also 10 which is "GNOME_NOFLAG_LIBSECRET" - so should be seeing the same behavior as you.

Are you signed into sync in the profile? Perhaps the passwords are syncing down?

You can try dev channel here -> https://www.google.com/chrome/browser/?platform=linux&extra=devchannel

Comment 8 by dunpea...@gmail.com, Jun 15 2018

I am somewhat embarrassed to report that I have found the likely cause of the issue.

To facilitate the fast creation of new profiles, I kept a "template" profile with a bunch of default configurations and pre-installed extensions, that the wrapper script would copy to a new data dir upon creating the profile.

It seems that profiles created from this template all share the same set of passwords, whereas profiles created from scratch (by providing a path of an empty directory to --user-data-dir) do not.

Comment 9 by wfh@chromium.org, Jun 15 2018

Status: WontFix (was: Unconfirmed)
okay, glad to have found the issue. Thanks for the update. Marking WontFix.
Thanks. By any chance, is there a way to automatically configure Chrome instances, to replace the "template profile" method?
Project Member

Comment 11 by sheriffbot@chromium.org, Sep 22

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: -vabr@chromium.org

Sign in to add a comment