saiko saru

Google's Chrome saved password security exploit

Written on Jan 28, 09 7:04 am | Technology 15 comments | 0 Favourite (0) | tags: chrome google exploit

I have only been able to test this with Apache 2.2.11 running on Free BSD but I would assume it works across all http server requests.

The issue occurs when you visit a site that has an http password protected directory. If you save the login credentials; username and password the password is represented in Chrome's prompt box as an astrix for each character. ie: If you password was "monkey" you would see ******

Upon the next visit to the site with a new session Apache will prompt you for the credentials again to login. Previously you had Chrome save this information so Chrome will populate the username and password fields, again keeping the password with an asterix for each character. However, the exploit happens when you copy the entire password and paste it into another application, say, notepad. What is saved to your clipboard is not a series of asterix's but the actual ASCII password.

This exploit currently occurs in build 1.0.154.43 of Chrome. If you've stumbled across this entry and would like Google to be informed of this issue while you yourself run Chrome please do the following:
1) Click the 'Page' icon in the top right; on the right side of the address bar
2) Click 'Report bug or broken website'
3) Select 'Other problem'
4) Clear out information for 'Page URL' and uncheck 'Send screenshot of current page'
5) Explain the bug in the description or alternatively link them to this post.

Comments

1 thumbs!

kspiess Jan 28, 09

That's quite the find.
0 thumbs!

Chiggins Jan 28, 09

How did you manage to find this one?
- 0 thumbs!
  
  tekmosis Jan 28, 09
  
  One of the other devs who shares access to one of our sites asked for the login information. I couldn't remember the password off the top of my head so I tried ctrl+c/ctrl+v and it worked. I had to try it on another site to confirm that this was really happening.
-1 thumbs!

kik36 Jan 28, 09

So are you telling us your password is 'Monkey'? LMAO
- 0 thumbs!
  
  tekmosis Jan 28, 09
  
  of course not, I modified that as an example. There's no way I'd reveal sensitive information like that, haha.
0 thumbs!

Xenctuary Jan 28, 09

Could this be the reason why it's taking so long for Google to code an OSX version of Chrome? No exploits on our Apple fanboy version please Google!
1 thumbs!

Artificer Jan 28, 09

Are you sure this isn't by design? Seems more like a convenience option than a bug.
- 0 thumbs!
  
  tekmosis Jan 29, 09
  
  You know, it may be. It seems a bit redundant to star out the letters though if all you need to do is copy and paste it. Albeit, you can still see all your saved passwords and usernames in Chrome's options anyways but being able to copy and paste just seems to be a bit too facile.
0 thumbs!

Mcilrath Jan 29, 09

Some programs allow that, but for safety reasons display the characters as either the asterisks or when it's censored with something else, use alternate coding when pasted.
0 thumbs!

Aulis Vaara Jan 29, 09

The stars are not intended for yourself, but rather for someone who happens to look over your shoulder. Why is it such a problem that YOU can retrieve YOUR password?

I really don't see the exploit in this one. If you're worried that someone else might copy paste your password, what are you doing saving it anyway? It's not like they need to copy and paste it when they want to login as you, and that's the whole point of seeing someone's password.

IMO it's not an exploit, nor a real problem. The only thing I might be worried about is how the password is stored.
- 0 thumbs!
  
  tekmosis Jan 29, 09
  
  It was never mentioned that you yourself retrieving your own password was the issue. The problem is that the effort needed to retrieve these passwords is effortless. Being able to log in as you and knowing exactly what your password is are two different things.
  
  Take this into account; html form passwords stored when using the same method as this copies nothing to your clip board, not even the asterix'.
  
  If you can copy the password that means the only thing Chrome is doing is obfuscating the text output but not what's actually stored when it pre-populates the field.
  - -1 thumbs!
    
    Aulis Vaara Jan 29, 09
    
    I still don't see what the problem is. A person still needs access to your computer and your user to retrieve this password. In other words, they are you.
    
    If you want any real security, you don't store the password on your computer, period. Passwords are stored for your convenience. Like I said, if people are on your account, they can already access these websites, therefor it has no point securing these passwords further. Anyone working under your account is expected to be you. If that is not the case, you shouldn't store passwords, that's just irresponsibility on your behalf.
    
    I just equally easily accessed my firefox passwords. Ok, I looked them up in the preferences of Firefox, but I still didn't have to do anything special to find them. In fact, I just randomly guessed where I could find them, it was very easy.
  - 0 thumbs!
    
    huntyr Jan 29, 09
    
    The authorization pop-ups are much different than a html form password box, primarily because scripts can't access the popup since it occurs before a page is loaded and calls to a password-protected page through other means will generally result in a not authorized error unless you send the credentials in the original header packet.
    
    I suspect that this is the same behavior in safari, except we don't notice because (at least on my safari) I can't copy from the password box.
    - 0 thumbs!
      
      Xenctuary Jan 30, 09
      
      You have to authenticate yourself before viewing passwords in the OSX version of Safari (via the Keychain Access system utility). I'm not sure how it works on Windows.
-1 thumbs!

Twin_Master Feb 3, 09

Holy Crap. That's a pretty good find and a very unnerving bug. Good job tek!