Security: Passwords are getting displayed in autofill dropdown
Reported by
ikips...@gmail.com,
Nov 26
|
|||||||||
Issue descriptionIssue: Passwords are getting displayed in autofill Reproduction step: 1. Login to Facebook 2. Logout 3. Go to login screen of your facebook again 4. Start typing your facebook password in username field Expected result: Facebook password should not be displayed in autofill dropdown Actual Result: Facebook password is getting displayed in actual text format in the autofill dropdown Note: This is a serious security issue. If someone logged out from facebook and other person uses his/her PC, the other user may get to know the password.
,
Nov 26
,
Nov 27
,
Nov 27
The Links in the following section is not working. It is giving 404 error. https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model
,
Nov 27
I tried to reproduce with Chrome version 72.0.3624.0 (Linux): (1) I went to https://www.facebook.com, logged in with a valid account. I accepted Chrome's offer to save the password. (2) I logged out. (3) I got redirected back to https://www.facebook.com. I focused the username field, erased the autofilled username and started typing the first three characters of my password. There was no autofill dropdown. Which version of Chrome and which OS are you on? Could you try with Chrome Canary, with a fresh user profile? Do you have any extensions (about:extensions) which could be interfering with the password forms?
,
Nov 27
Also, when you go to about:settings/passwords, do you see your password listed among the usernames?
,
Nov 27
My guess is that you once typed your password into that field and it's not the password manager but regular field autofill that fills it. You can clear that by going to the field, pressing the cursor down so that the autocomplete attribute is selected and pressing Shift + Delete on Windows/Linux or Shift + fn + Delete on a Mac.
,
Dec 1
Had a similar, but worse experience. To resolve, I disabled pretty much everything there is to disable in chrome://flags with the word "autofill". Just disable, disable disable. Don't bother asking what its about. So far, experience is closer to normal original chrome. The engineers tinkering with chrome autofill are wasting their time and doing a horrendous job. Almost pushed me out if I didn't find [all] the flags. I'd probably move sooner if it wasn't for all the lock-in.
,
Dec 3
,
Dec 3
I agree with the Comment #7. The solution can be to go to chrome://settings/clearBrowserData and clear only "Autofill form data".
,
Dec 6
ikipsita@, did the comment above fix your state?
,
Dec 7
Yes, it does. Thanks.
,
Dec 7
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 7
I don't think there is bug to fix.
,
Dec 7
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by mbarbe...@chromium.org
, Nov 26Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug