Issue metadata
Sign in to add a comment
|
Security: Chrome uses windows encryption to store saved username and passwords
Reported by
ralphkli...@gmail.com,
Oct 6
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Chrome stores its saved passwords in sqlite database on local machine which then asks for local credentials in order to view the stored passwords. This can be bypassed by using win32crypt python module VERSION Chrome Version 69.0.3497.100 (Official Build) (64-bit) Operating System: Windows 10 Pro Version 10.0.15063 Build 15063 REPRODUCTION CASE Use google chrome to remember password for any site Close chrome Run the proof of concept tool enter any drive letter you have access to example C: or e: and press enter tool will run and will dump username and password in location in folder labeled ChromeDump I strongly suggest that chrome should ask for google password before letting windows decrypt it as this tool can bypass the windows password. Windows may also be to blame, but Google Chrome should add their own security in browser by asking for Google account password first, thus protecting Chrome users if Windows makes a mistake or has vulnerability Google has no control over CREDIT INFORMATION David Enos Bluedangerforyou Please find proof of concept exe attached and video demonstration
,
Jan 12
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by mea...@chromium.org
, Oct 6