Issue 854156 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Jun 2018
Components:	UI>Browser>Passwords
EstimatedDays:	----
NextAction:	----
OS:	Android
Pri:	2
Type:	Bug-Security
Security_Severity-Low Arch-x86_64 allpublic Via-Wizard-Security

Password Manager leaks credential to different origin site

Reported by alalinho...@gmail.com, Jun 19 2018

Issue description

Steps to reproduce the problem:
1. access http://test.alalin.me/poc/password-manager-sop-broken2/
2. fill in the login form and submit, then allow chrome to save the form data. 
3. access https://test.alalin.me/poc/password-manager-sop-broken2/ to check if the password is autofilled
4. if not work, clear chrome's data and do not sign in your Google account, then try again.

What is the expected behavior?
according to the SOP, password should not be autofilled in step 3

What went wrong?
Password saved in HTTP site was wrongly filled in HTTPS site, SOP was broken

Did this work before? N/A 

Chrome version: 67.0.3396.87  Channel: stable
OS Version: O
Flash Version: NA

Comment 1 by och...@chromium.org, Jun 20 2018

Cc: vabr@chromium.org
Components: UI>Browser>Passwords
Labels: Security_Severity-Low

I can reproduce this (passwords saved on http but filled on https), but this doesn't seem to work the other way around, which is the more interesting case (password saved on https but filled on http).

+vabr to comment on if this is expected behaviour.

Comment 2 by vabr@chromium.org, Jun 20 2018

Status: WontFix (was: Unconfirmed)

This is working as intended, it is a feature. The bug tracking adding that feature was  issue 571580 .

Comment 3 by alalinho...@gmail.com, Jun 20 2018

So, my question is, HTTP and HTTPS could be completely different Web sites (
although the possibility is small) . And even the same site, the server's 80 and 443 port could be protected with different security level, E.g firewall.

So, Could you please explain how much will this feature introduce securtiy risk? Thanks

Comment 4 by vabr@chromium.org, Jun 22 2018

Looking at https://chromium.googlesource.com/chromium/src/+/e265f2fc6651f9c657ee166778643e92923abbc9/components/password_manager/core/browser/http_password_store_migrator.cc#43, the migration should not work across ports, only the scheme might change.

The security discussion is part of the design doc, which I now made viewable by anyone https://docs.google.com/document/d/1ei3PcUNMdgmSKaWSb-A4KhowLXaBMFxDdt5hvU_0YY8/edit?usp=sharing.

Project Member

Comment 5 by sheriffbot@chromium.org, Sep 26

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by vabr@chromium.org, Nov 29

Cc: -vabr@chromium.org

►

Issue 854156 link

Issue metadata

Password Manager leaks credential to different origin site

Issue description

Comment 1 by och...@chromium.org, Jun 20 2018

Comment 1 Deleted

Comment 2 by vabr@chromium.org, Jun 20 2018

Comment 2 Deleted

Comment 3 by alalinho...@gmail.com, Jun 20 2018

Comment 3 Deleted

Comment 4 by vabr@chromium.org, Jun 22 2018

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, Sep 26

Comment 5 Deleted

Comment 6 by vabr@chromium.org, Nov 29

Comment 6 Deleted

Sign in to add a comment