Google Chrome Password Disclosure Vulnerability

2019-09-18T00:00:00
ID 1337DAY-ID-33262
Type zdt
Reporter zdt
Modified 2019-09-18T00:00:00

Description

                                        
                                            ---------------------------
To normally view passwords in Chrome, you have to go to the Properties section, click View Passwords, and you are prompted for a users password.  This flaw discloses all passwords for the domain without the required authentication step.
---------------------------

Please see https://secureli.com/2019/09/15/password-leak-version-76-0-3809-132-official-build-64-bit/ for all information, including pictures:

When a plain-text password form field is found by Google Chrome, it will reveal all passwords on that primary domain.

For example, take a look at the following code and screenshot:

<input class="form-control secure_password required password fs-hide" data-install-name="secureli" id="ftp_user_pass_new" required="required" aria-required="true" autocomplete="new-password" type="text" name="ftp_user[pass]">
By checking the “Show Password” button, as shown below…

--- screenshot ---

…the auto-complete function in Chrome is activated and clicking on the password field shows a drop-down of all passwords saved on that domain:

--- screenshot ---

#  0day.today [2021-11-03]  #