By far, the most commonly-reported “vulnerability” reported to the Chrome Vulnerability Rewards program boils down to “I can steal my own password.” Despite having its very own FAQ entry, this gets reported to the VRP at varying levels of breathlessness, sometimes multiple times per day.
You can see this “attack” in action:
Yes, it’s true, you can use Chrome (or Edge, or Firefox) to steal your own password.
-Eric
PS: “But… but… what if I don’t want to use this easy trick and instead steal my own passwords from myself by installing some software on my own PC? Isn’t that a security bug?”
PPS: “But… but… what if I’m a clever admin and I don’t allow my users to use the Developer Tools or run software. Am I safe then?” Well, no. The user can enter JavaScript in the Omnibox/Address bar, or use the Settings page to view or export passwords to a file.
PPPS: “What about the “Reveal Password” (eye) icon shown in Microsoft Edge? Can that expose an autofilled password?” No.
