New "Sign in with" Dialog Looks Like Malware
Reported by
miqrogro...@gmail.com,
Sep 21
|
|||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Steps to reproduce the problem: 1. Create an account at, for example, wayfair.com 2. Save the password in Chrome. 3. Log out 4. Return to the affected website. What is the expected behavior? I should NEVER see an unsolicited confirmation of a login attempt. What went wrong? Chrome displayed a box that said "Sign in with your account saved with Google Chrome." Due to the fact that I had my @gmail.com account registered on this 3rd-party website, I had no indication at all of the login mechanism or credentials being requested. IS IT USING MY GMAIL ACCOUNT? IS IT USING MY PASSWORD FOR THAT WEBSITE? WHY IS IT ASKING ME TO CONFIRM AN ACTION THAT I NEVER REQUESTED? Did this work before? Yes I've never seen this happen in any other version of Chrome prior to 69. Chrome version: 69.0.3497.100 Channel: stable OS Version: 10.0 Flash Version: The effective workaround I found is to visit chrome://settings/passwords and delete the credentials for the affected website from the Chrome password manager.
,
Sep 21
,
Sep 21
Linking this relevant blog, as the critical text is in PNG format only and never appears in search results. https://developers.google.com/web/updates/2016/04/credential-management-api
,
Sep 21
Here are some major discrepancies between what I'm seeing in Chrome, and what was explained in that blog: There was no "account chooser UI", but only Sign In or Cancel. The login domain was not displayed on the UI. How do I know if I'm being directed to a different site or not? The account name is ambiguous, does not show my real name, and does not show the login realm. Is the "account" for gmail.com or wayfair.com? The API was somehow triggered by using a browser bookmark and with no other interaction on the site whatsoever. This is an obvious avenue for abuse similar to alerts and popup windows. I couldn't find any settings to disable the "Sign in with" feature. Does one exist?
,
Sep 23
,
Sep 24
miqrogroove@ Thanks for the issue. Tested this issue on Windows 10 on the reported version 69.0.3497.100 and the latest Canary 71.0.3559.0 and unable to reproduce the issue by following the below steps. 1. Launched Chrome and navigated to http://wayfair.com/. 2. Created an account on the site and saved the password to Chrome. 3. Logged out of the site and returned to the site. Could login again with the autofill details and no issues were observed. 4. Could not observe any prompt saying "Sign in with your account saved with Google Chrome." Attached is the screen cast for reference. Note: Tested the issue by signing into Chrome, syncing the profile and without signing into Chrome as well and unable to reproduce the issue. Request you to check and confirm if anything is missed from our end in triaging the issue. Also request you to retry the issue on a new chrome profile without any flags/extensions and update the thread with the observations. Thanks..
,
Sep 24
I saw the same problem with Facebook in the Chrome browser for Android a couple days ago. I'm thinking these sites are experimenting with the API, and the Chrome implementation is not so great.
,
Sep 24
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 24
Susan, one thing I noticed in your video is that you clicked Sign Out. The blog I referenced above says, "Once a user signs out, disable automatic sign-in for the next visit of the user."
,
Sep 24
I was able to reproduce the wayfair.com scenario. Please try these exact steps: 1. Go to chrome://settings/content/cookies 2. Enable "Keep local data only until you quit your browser" 3. Enable "Block third-party cookies" 4. Go to wayfair.com 5. Sign in using your @gmail address and @wayfair password. 6. Close Chrome completely. 7. Launch new instance of Chrome. 8. Go to wayfair.com
,
Sep 24
Also, at step 5 I had to click the Key icon on the address bar to save the password.
,
Sep 25
miqrogroove@ Thanks for the update. Retried the issue on Windows 10 on the reported version 69.0.3497.100 as per comment #10 and unable to reproduce the issue. Attached is the screen cast for reference. Request you to provide a screen cast of the steps followed where the issue is reproduced, which will help in better understanding. Thanks..
,
Sep 29
Susan, thank you for your patience. It looks like you are right and there was another missing step. The strange dialog only appears when an exception has been added for google.com cookies. This is more accurate: 1. Go to chrome://settings/content/cookies 2. Enable "Keep local data only until you quit your browser" 3. Enable "Block third-party cookies" 4. Click the "Add" button next to "Allow" 5. In the Site field enter https://[*.]google.com 6. Click the "Add" button 7. Go to wayfair.com 8. Sign in using your @gmail address and @wayfair password. 9. Close Chrome completely. 10. Launch new instance of Chrome. 11. Go to wayfair.com
,
Sep 29
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1
Able to reproduce the issue on Mac 10.13.3, Win-10 and Ubuntu 17.10 using chrome reported version #69.0.3497.100 and latest canary #71.0.3566.0. This is a non-regression issue as it is observed from M60 old builds. Hence, marking it as untriaged to get more inputs from dev team. Thanks...!!
,
Oct 15
--Chrome Identity automated triaging-- This bug is Untriaged and has gone for two weeks without any activity, so it is being moved to Available. Please see https://goo.gl/78kbny for more details. Please remove the Services>SignIn or UI>Browser>Profiles components if this bug isn't related to Chrome Identity. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by miqrogro...@gmail.com
, Sep 2141.9 KB
41.9 KB View Download