New issue
Advanced search Search tips

Issue 884781 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Sep 17
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Security Breach of Saved Passwords in Chrome

Reported by nipunpru...@gmail.com, Sep 17

Issue description

VULNERABILITY DETAILS
Well, Although Chrome store the saved passwords with lots of protection and to see the saved password, one has to give the OS login password which is important to make it secure.
           But today, I found a way by which I can see the Gmail password without the need of OS login password. 

VERSION
Chrome Version: Version 69.0.3497.92 (Official Build) (64-bit)
Operating System: 
          Windows 10 Home
Version : 1803
OS build : 17134.285


REPRODUCTION CASE
I have attached a 30 second video. Also, here are the steps I followed:
1. Open Google.com
2. Select account whose password is already saved in chrome.
3. It will ask the sign in password prompt and it will be auto-filled because its saved in chrome.
4. Now, click on show password. We can see the password.

THREAT AND EXPLOITATION:
Since there is no security, anyone who can access the PC can see the saved password. It also discourages people from saving the password. So, "Show password" should be disabled in case of "auto-filled".



 
Chrome Bug_Medium (1).mp4
6.2 MB View Download
Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
This is not considered a security vulnerability. Please see these two FAQ items for more information:

https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model
https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#what-about-unmasking-of-passwords-with-the-developer-tools

Sign in to add a comment