
Anyone can steal all of chrome saved passwords, form fields, bookmarks, history - jimsperry
https://medium.com/@liormarga/anyone-can-steal-all-of-chrome-saved-passwords-form-fields-bookmarks-history-ab2da3b4853e
======
ineedasername
The bug response was laughable "yes with unrestricted acess to an account you
can steal data from it".

This makes it sound like "with enough time and patience anything is possible"

But the steps described aren't even what i would call a hack. You could do
them by accident if you were trying to log in to your own account under
someone elses computer using chrome, in less than a minute if you're quick. It
requires no technical knowledge and can be done with time to spare during
someone's bathroom break.

Here's the process in a nutshell:

1) logout of their account in chrome.

2) login to you're account

3) lie and say you were the previous per person

This isn't a hack. There is no hack! This is a very small step above the
"honor system" as your security!

------
jogjayr
Given the number of people I've seen step away from their desks without
locking their machines (in the tech industry, no less)...I don't think "hack
relies on physical access to the machine wontfix" is an entirely reasonable
response from the Chrome team.

Maybe they could make you enter the system password for this action too like
they did with saved passwords (earlier, saved passwords were visible in
plaintext but now you have to enter the system password to see them)

~~~
ineedasername
It's not at all a reasonable response. A small bit of malware could eliminate
the need for physical intervention: programmatically logout, login with the
thief's account to sync, then log that one out too.

The response smacks of an attitude that "once a machine is even a little
compromised it's not our responsibility what happens. Physical access is a
compromise, therefore we don't have to fix our own loop hole."

This is like a safe company saying, "Well, of course someone that breaks into
your house can also open the safe by saying, _I 'm the owner_ out loud."

------
Communitivity
This is not a new phenomenon, though the ease of the exploit might be new. I
remember a while ago you could go in SQLite and look at the file Firefox
stored all the saved passwords in, for any user. That exploit was fixed, and
this one likely will be as well. I agree with other commenters, the most
disturbing thing about this is the blase attitude of the response.

~~~
hlieberman
Mmm. You still can, if there's no master password enabled. But that's a
distinct issue from this. Here, you're going from a state that should be
entirely safe ("signed out"), to retrieving all of the secrets that are held.

Because Firefox doesn't have sign-in and sign-out like Chrome does, the
principle of least surprise kicks in.

------
smn1234
that's a walkthrough anyone can follow.

When the barrier to entry for "hacking" credentials and sensitive information
is so low, the world's really in trouble...

~~~
stcredzero
It's the thats-not-my-problem response that worries me the most.

------
yegle
When an attacker can gain access to your unlocked computer and have time to
logout/login your browser, you should not expect anything on the desktop is
safe. Personally I don't see this as a security bug.

~~~
stcredzero
They should at least have to go to an effort commensurate with installing a
keylogger or something like that. Just navigating a few windows to get to see
your passwords -- that's just wrong. Anything that has what's supposed to have
a secure login shouldn't be exposing passwords like this.

~~~
rasz
You do not need any passwords to import all of it (Cookies/Passwords) if you
are already logged in. Chrome uses Windows DPAPI to encrypt it on the disk,
its automagically decrypted when logged in.

------
cjcampbell
Would be interesting to know whether this works when a passphrase is set up to
encrypt the stored data.

------
rasz
or you could just import all of it with one small command line program without
even popping GUI on the screen? Doable in 3 seconds with a pendrive. This is a
non story, autor somehow thinks his own computer should fight him.

------
osiutino
They should force users to retype their password for logging out

~~~
liormarga
The thing is that even if you are logged out like most of the people every
thing is saved in the default profile so when you logging in to chrome you
just take all the passwords , think about college computers farm or public
computers ....

~~~
ineedasername
Or a simple bit of malware that automates the process so the thief doesn't
even need to be physically present!

