Google Chrome Password Disclosure

2019.09.18
Credit: John Martinelli
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

--------------------------- Packet Storm Editor's Note: To normally view passwords in Chrome, you have to go to the Properties section, click View Passwords, and you are prompted for a users password. This flaw discloses all passwords for the domain without the required authentication step. --------------------------- Please see https://secureli.com/2019/09/15/password-leak-version-76-0-3809-132-official-build-64-bit/ for all information, including pictures: When a plain-text password form field is found by Google Chrome, it will reveal all passwords on that primary domain. For example, take a look at the following code and screenshot: <input class="form-control secure_password required password fs-hide" data-install-name="secureli" id="ftp_user_pass_new" required="required" aria-required="true" autocomplete="new-password" type="text" name="ftp_user[pass]"> By checking the “Show Password” button, as shown below… --- screenshot --- …the auto-complete function in Chrome is activated and clicking on the password field shows a drop-down of all passwords saved on that domain: --- screenshot ---


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top