This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
In a school system that deploys Chromebooks, they have a default password for a google account made for the user. This password uses easily accessible information. In my school district, the formula for a password is '(first initial)(last initial)(birthday in MM/DD/YYYY)!'. The email itself is even easier, being the school 'lunch number'(a six digit number that identifies the student) @sps('SPS' is the initials for the school district).org. One can obtain the 'lunch number' by going on to a website by Google that uses the 'Share' function(i.e Google Slides). Once the person is on the website, all they have to do is type in your first and last name and it shows their email. Now, you can sign in to the user's account. That wouldn't be terrible in itself, but once the attacker has done this, all they have to do is go to Google Passwords, and if the victim saved passwords using their 'main' password, the Attacker can access the user's home passwords. This attack targets the most susceptible groups, being children. 

VERSION
Chrome Version: 67.0.3396.99 stable
Operating System: Windows 10 Version 1803, 17134.165 OS Build (They don't do service packs anymore)

REPRODUCTION CASE
This case can't be replicated in a single website as it is more of an exploit of given features. I'll add here that I'm not entirely sure that this fits the profile of something that I can report with this, but it still needs to be resolved.

POSSIBLE FIXES
I'll list the possible fixes that come to mind:
Make the format of passwords for students use information that is harder to access.
Block the use of Google Passwords on school accounts.
Allow users enrolled by the district to change their password.

OTHER NOTES
I have noticed that if you sign in on a computer that isn't a school owned Chromebook, you can adjust your password, but the average student most likely wouldn't go through this hassle if they weren't aware that there personal passwords could be accessed.