Chrome allows viewing "Saved Password" if gmail password is saved in browser
Reported by
skanungo...@gmail.com,
Aug 3
|
|||||||||||
Issue descriptionWe may save password for different websites including net banking and online shopping credentials. Chrome should ask to enter either Gmail password or device PIN when anyone tries to view saved password at password.google.com. Pre Condition: User has saved gmail password in Chrome along with password of some other websites. Steps to Reproduce: 1. Open Chrome on Android 2. Click on settings and head over to Password under Basic settings. 3. Click on view and manage saved password at password.google.com 4. Chrome redirects to account.google.com where it ask to enter gmail password. Since the gmail password is already saved so user can click NEXT button without entering the password. 5. Chrome shows list of saved password. 6. Select any password and click on SHOW icon. Expected Result: Chrome should again ask to enter Gmail Password without automatically filling up user credentials or should ask to enter device PIN. Actual Result: Password is shown instantly without asking to enter any credentials This can be serious security and privacy issue for a user who has lost his or her phone and has not setup any screen lock, such that device can be unlocked easily.In that case his or her banking and online shopping accounts are at major risk along with information of other websites. The attacker can access anything with saved password. Chrome should ask to manually enter Gmail pasdword when someone tries to access password.google.com, even when the gmail password is saved in Chrome browswr. Alternatively it can ask to renter PIN or password when clicked on SHOW password icon. I have attached all screenshots which demonstrates the issue. For security reasons I had placed stickers over my visible password. Regards, Subhadeep Kanungo
,
Aug 3
Passing to password manager team to triage. AFAIK, we *do* have mitigations against saving the password of the account which syncs the passwords up to passwords.google.com.
,
Aug 3
The scenario I explained above, here user wants to sync password. But this becomes potential risk if user lost his/her phone or is stolen.
,
Aug 17
Thanks for the report. As for storing the password used for syncing: If Chrome can help it, it won't store the Google password guarding the synced data (see [1]). But it might happen that this password was stored before sync was set up, then gets included in the synced data and kept further on. This is not easy to solve, because Chrome cannot just forget (or refuse to fill) the password in cases when the user might not have other ways to learn that password. If you update your Google password, Chrome won't remember the new one for you and should delete the old one. Local attacks (when the attacker can access the device unlocked) are not part of Chrome's threat model [2]. With such access, there are too many other ways to steal passwords and other data from the user. Reauthentications of any kind are privacy best-effort helpers, if anything. While in the native Chrome settings, one can view passwords after passing the lock-screen challenge, on passwords.google.com (which is a website and knows nothing of the device), Google password is the only reauthentication possibility. This only affects users who first saved their Google password and then set up sync, and never updated the Google password afterwards. There is no way out of this state for those users other than updating their passwords, if Chrome does not want to risk locking some of them out. [1] https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-doesn-t-the-Password-Manager-save-my-Google-password-if-I-am-using-Chrome-Sync- [2] https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by skanungo...@gmail.com
, Aug 3151 KB
151 KB View Download