There is one thing called $0.value vulnerability

[Dan Dinh]

I guess Chromium should add the PIN code feature for user to set to use before any auto-filling in login forms.

The situation is like this:

Bob is friend of Alice and Bob wants to get Alice's Facebook password secretly. It's easy for Bob to do so because Bod is Alice's friend.

Bob is doing this:

• Ask Alice to use her laptop
• Open facebook.com
• Logout (now Chromium-based browser auto-fills the login form)
• Open DevTools
• Select the password input element and type $0.value
• Now Bob has password from $0.value
• Bob click login back no Alice doesn't know

I believe Chromium, Chrome should add the PIN feature to use before filling form especially password.

There's option to use OS password, eg. Edge has a section called 'View and autofill passwords and passkeys' to enable using of OS password before auto-filling. But the PIN should be set separately because when Alice share the laptop for Bob to use usually Bob knows how to bypass the lock screen.

• OS password is sharable
• But the vault, password manager is a sensitive area inside

[Daniel Cheng]

This sort of thing is covered by several entries in the security FAQ, specifically Why aren‘t physically-local attacks in Chrome’s threat model? and What about unmasking of passwords with the developer tools?. In short, we do not consider either a vulnerability.

Daniel