New issue
Advanced search Search tips

Issue 895196 link

Starred by 1 user
Status: Duplicate
Merged: issue 748120
Owner: ----
Closed: Oct 15
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Flaw in the Saved Password feature in Chrome.

Reported by jaydenh1...@gmail.com, Oct 15 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

Reports may be eligible for reward payments under the Chrome VRP:
http://g.co/ChromeBugRewards

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

-------------------------

VULNERABILITY DETAILS
There is a flaw in the security design protecting saved passwords in the Chrome Browser.

VERSION
Chrome Version: 69.0.3497.100 (Official Build) (32-bit)
Operating System: Windows 10 Enterprise 1709 - 16299.15

REPRODUCTION CASE
When passwords have been synced with a google account to the chrome browser, the passwords are only secured by the User's computer password. 

The passwords can be revealed through saved passwords in chrome settings, clicking the eye. 
If the user's computer password is reset, the new password also allows someone to view the saved passwords (Domain account and local) 
The passwords are not secured by the google account once the data has been synced to the browser. 



FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers,
exception record]
Client ID (if relevant): [see link above]

CREDIT INFORMATION
Externally reported security bugs may appear in Chrome release notes. If
this bug is included, how would you like to be credited?
Reporter credit: J Hopkinson

Comment 1 by vakh@chromium.org, Oct 15

Status: WontFix (was: Unconfirmed)
This is outside of Chrome's threat model.

"We consider this attack outside Chrome's threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your computer as you, or who can run software with the privileges of your operating system user account. Such an attacker can modify executables, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your computer, and nothing Chrome can do would provide a serious guarantee of defense. This problem is not special to Chrome ­— all applications must trust the physically-local user."

Please see: https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

Comment 2 by wfh@chromium.org, Oct 15

Labels: -Restrict-View-SecurityTeam allpublic OS-Windows
Mergedinto: 748120
Status: Duplicate (was: WontFix)
In fact ,this is not even possible within Chrome's threat model, because the password storage on Windows is keyed with the user's login password, so changing the password externally (e.g. via another administrator account, or booting via a USB stick) would invalidate this key and thus make the passwords inaccessible.

Please see https://bugs.chromium.org/p/chromium/issues/detail?id=748120#c6 for more details on this.

Sign in to add a comment