Security: Prompt to save password for Verizon FIOS router displays the typed password in the "Username" field
Reported by
wdorm...@gmail.com,
Jun 18 2018
|
|||||
Issue descriptionVULNERABILITY DETAILS I have a Verizon FiOS-G1100 home router. Upon attempting to log in to the router, Chrome asked me if I wanted to save my password. However, in the dialog that was displayed on the screen, the "Username" field displayed the password that I typed in the clear. Had anybody seen my screen, they would have seen my password. I suspect there's something that confused Chrome about which field was which. Even though my password was masked with dots when I was typing it in, as expected, there apparently isn't anything that ensures that such fields aren't displayed in the clear in the password-remembering prompt. VERSION Chrome Version: Version 67.0.3396.87 (Official Build) (64-bit) Operating System: MacOS 10.13.5 (17F77) REPRODUCTION CASE This could be tricky. I've only seen it when I successfully log into my FiOS-G1100 router. However, I've attached the HTML source of the login page that is causing the confusion.
,
Jun 19 2018
,
Jun 19 2018
As the issue require Verizon FIOS router to test the issue and test team doesn't have the device in order to test the issue. Hence, requesting someone from the password team to help in further debugging of the issue and adding TE-NeedsTriageHelp. Thanks...!!
,
Jun 19 2018
Can you open chrome://password-manager-internals/ in a tab and the login in another tab? The log would be useful for debugging. Nevertheless, I think I understand the problem. The page has 2 password fields: one for actual password, another one is for plain-text password when you click the eye icon in the site. We capture the latter as a username. CC relevant folks. As the route is on internal network I guess the whole server magic is useless. However, vabr@ recently talked about local heuristics when user typed something then it's a username with a higher chance.
,
Jun 20 2018
Indeed, Chrome is likely to understand the second text field as username (because the first field is disabled, and the old parser ignores disabled fields [1]). Given that it contains the copy of the password, that would explain the password being shown in the username. The new parser ignores "disabled" attribute, so it would pick the correct username here. That's merely a coincidence (had the both password fields swapped their order, this would not help). [1] https://chromium.googlesource.com/chromium/src/+/a2fafb96a5ee17ccb46dc192be927d6ece73da39/components/autofill/content/renderer/password_form_conversion_utils.cc#578
,
Jun 20 2018
Are you aware that we have WebFormControlElement::FormControlTypeForAutofill()? That will continue to say "Password" even if an <input type="passwords"> is changed to <input type="text"> because the user clicked on some "reveal my password" icon.
,
Nov 20
Thank you for sharing this relevant information about router. If you are getting any kind of issue while using router then i suggest you to once read this blog carefully: https://www.routertechnicalsupportnumbers.com/blog/how-to-fix-connection-failed-asus-error-651-in-windows-7-8-and-10/, to get proper guideline.
,
Nov 29
vabr going hobby only -> reducing involvement. Please contact me directly in urgent matters. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by wfh@chromium.org
, Jun 18 2018Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Pri-2 Type-Bug