VULNERABILITY DETAILS

Passwords which have been saved to a user's Chrome profile can be revealed without user verification by importing them into another browser.

Example:

1. A user of Chrome saved a password for a website submission form.

2. The user accepts the prompt and saves the password

3. The user attempts to reveal these saved passwords from Settings > Advanced > Manage passwords. Bu the user must re-authenticate to reveal the passwords.

4. To circumvent this requirement, we simply installed the latest stable build of Firefox, and imported the passwords from Chrome using their wizard. We can now reveal the passwords without verification. Clearly the re-authentication requirement is superficial to the Chrome interface.

This worries us because of the ease with which a normal, Average Joe, was able to do this.

If this is useful or informative, we'd love a credit to https://www.neutral.com.au. We will publish details of this once we've heard that we are allowed to do so, or in 30 days.

Thank you

Adam Gough
adam@neutral.com.au


VERSION
Chrome Version: Version 67.0.3396.99 (Official Build) (64-bit)
Operating System: 7, 10

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers,
exception record]
Client ID (if relevant): [see link above]