Issue metadata
Sign in to add a comment
|
Security: Bypassing 2FA protection for passwords
Reported by
liamolea...@gmail.com,
Oct 5
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Able to bypass 2FA for viewing passwords by logging into the target's Gmail account through Chrome itself. From there, the user can go to chrome://settings/passwords - and instead of being prompted with 2FA as they would be if logged in through gmail and not the chrome browser itself, are then prompted to login with the details of the computer. VERSION Chrome Version: [69.0.3497.100] + [Stable] Operating System: [Win10, Version 1803 (OS Build 17134.285)] REPRODUCTION CASE My apologies - I'm unsure of how to show a replication of this bypass as it's not done through malicious code.
,
Oct 5
Sorry, physical attack is not in our threat model. As long as attacker can access victim's device, there's not much we can do. Besides I think you are describing a Google login issue not a bug in Chrome. Closing as working as intended.
,
Oct 6
Sorry, I think there's a misunderstanding. This bypass does not need to have access to the victim's device. This can be performed on any computer (as far as I know), as long as they have access to the person's gmail details. That is why this bypass is a security issue.
,
Jan 12
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by liamolea...@gmail.com
, Oct 5