Chromium queries all passwords from secret service when encountering a login form
Reported by
mich...@fds-team.de,
Jun 30 2018
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Steps to reproduce the problem: 1. Start a secret service implementation (e.g., gnome-keyring) 2. Start chromium with the parameter --password-store=gnome-libsecret 3. Save the password for two or more websites (e.g. https://keepass.info/help/kb/testform.htm and https://www.w3schools.com/howto/tryit.asp?filename=tryhow_css_login_form_modal) 4. Start dbus-monitor 5. Go to any website with a login form What is the expected behavior? Chromium should only query passwords matching the requested login form (based on url, html fields, etc.). The dbus-monitor log should therefore show at most one call to the method GetSecret. What went wrong? Chromium queries the passwords for all items with the attribute "application: chrome-[...]", i.e., it creates (almost) a complete copy of the keyring even though it is not necessary. This violates the idea of having a password manager. Example for dbus-monitor output (replies removed): method call time=1530380917.676442 sender=:1.94 -> destination=:1.23 serial=2603 path=/org/freedesktop/secrets/collection/login/520; interface=org.freedesktop.Secret.Item; member=GetSecret object path "/org/freedesktop/secrets/session/s2" [...] method call time=1530380917.676473 sender=:1.94 -> destination=:1.23 serial=2604 path=/org/freedesktop/secrets/collection/login/519; interface=org.freedesktop.Secret.Item; member=GetSecret object path "/org/freedesktop/secrets/session/s2" [...] method call time=1530380917.676504 sender=:1.94 -> destination=:1.23 serial=2605 path=/org/freedesktop/secrets/collection/login/517; interface=org.freedesktop.Secret.Item; member=GetSecret object path "/org/freedesktop/secrets/session/s2" [...] method call time=1530380917.676534 sender=:1.94 -> destination=:1.23 serial=2606 path=/org/freedesktop/secrets/collection/login/516; interface=org.freedesktop.Secret.Item; member=GetSecret object path "/org/freedesktop/secrets/session/s2" [...] method call time=1530380917.676560 sender=:1.94 -> destination=:1.23 serial=2607 path=/org/freedesktop/secrets/collection/login/511; interface=org.freedesktop.Secret.Item; member=GetSecret object path "/org/freedesktop/secrets/session/s2" [...] method call time=1530380917.676600 sender=:1.94 -> destination=:1.23 serial=2608 path=/org/freedesktop/secrets/collection/login/124; interface=org.freedesktop.Secret.Item; member=GetSecret object path "/org/freedesktop/secrets/session/s2" [...] method call time=1530380917.676863 sender=:1.94 -> destination=:1.23 serial=2609 path=/org/freedesktop/secrets/collection/login/3; interface=org.freedesktop.Secret.Item; member=GetSecret object path "/org/freedesktop/secrets/session/s2" [...] Did this work before? No Chrome version: 67.0.3396.87 Channel: stable OS Version: 4.16.0 Flash Version: 30.0.0.113 Note that this issue also affects the "Manage passwords" dialog in the Chromium settings. Passwords are queried before the user requests the plain text. To provide some background: I am working on a hardware based password manager and thought that providing a secret service daemon would be a good way to add support for Chromium. If Chromium keeps querying the complete content of the password storage though, then this doesn't make any sense. The passwords are less well protected in a user process compared to the external hardware. Moreover with this excessive query behavior it is not possible to request a hardware based user confirmation before responding to a GetSecret request.
,
Jul 5
,
Jul 6
We are unhappy with the Linux password store implementation but currently don't have the resources to invest in that. If any Linux enthusiast would like to work on it, please let us know and we can provide some guidance.
,
Jul 15
I sent a patch to fix a part of the problem: https://chromium-review.googlesource.com/c/chromium/src/+/1137816
,
Jul 16
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6eab4bafdd21fd7726526be5c000c80c93caa32e commit 6eab4bafdd21fd7726526be5c000c80c93caa32e Author: Michael Müller <michael@fds-team.de> Date: Mon Jul 16 10:26:59 2018 Query libsecret password after matching attributes against login form Call secret_item_load_secret_sync only after matching the attributes of the secret item against the requested login form. This does not only improve the security as we don't query all available passwords, but also reduces the number of required dbus calls. The current code, for example, queried all passwords, even if none of the entries matched. R=dvadym@chromium.org Bug: 859305 Change-Id: I5e0432942d71d86fc9b06b86318b123614ab1be1 Reviewed-on: https://chromium-review.googlesource.com/1137816 Reviewed-by: Vadym Doroshenko <dvadym@chromium.org> Commit-Queue: Vadym Doroshenko <dvadym@chromium.org> Cr-Commit-Position: refs/heads/master@{#575218} [modify] https://crrev.com/6eab4bafdd21fd7726526be5c000c80c93caa32e/chrome/browser/password_manager/native_backend_libsecret.cc
,
Jul 16
Thank you very much for the contribution! Should we close this bug?
,
Jul 16
Technically this bug is now fixed. There are similar issues, for example, chrome queries all passwords during startup to feed its password reuse detector. I am fine with discussing them in separate bug reports though, if this is desired. |
|||
►
Sign in to add a comment |
|||
Comment 1 by viswa.karala@chromium.org
, Jul 1