Issue metadata
Sign in to add a comment
|
Security: get stored password from xhr
Reported by
nagy...@gmail.com,
Jul 17
|
||||||||||||||||||
Issue descriptionCurrently under settings->advanced->managed password if you want passwords to show you need to enter your windows password. I realized that, from the Chrome DevTools you can get that data without any knowledge of the OS password. On any HTTPS site any person with access to another's computer has the ability to log in with the other's previously saved credentials, but with a little workaround the person can easily get the saved password from the Chrome DevTools. If the person opens the DevTools->Network before the person presses the submit button, the person can retrieve the other's password in plain text from the xhr.
,
Jul 17
In fact, it's even easier than that. See https://dev.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools- for an equivalent situation, and why its not a problem. Feel free to re-open the bug if I've mis-interpreted what you're saying.
,
Jul 17
Thank you for your comments. It is clear after reading the article provided in Comment 2.
,
Oct 24
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by cthomp@chromium.org
, Jul 17