Chrome warns about compromised data when using form replay
Concerned version
Version: %2.0.13
Platform: Apache
Summary
There is a new feature in Chrome that verifies user/password entered in a form against a stolen database record. See https://www.welivesecurity.com/2019/12/12/chrome-warnings-password-stolen/ or https://security.googleblog.com/2019/12/better-password-protections-in-chrome.html for more information.
The form replay feature acts in 2 steps:
- step1: a javascript fills fake data in the post form (just for sending the form)
- step2: the handler sets the desired data on the fly in the post form
During step1, the data are simply "xxxx", with the same number of x than the injected value length. This value is considered as a stolen password by Chrome, and provokes an annoying warning in the browser.
Possible fixes
Computing random value of the same length for every field in the form.