Skip to content
GitLab

Chrome warns about compromised data when using form replay

Concerned version

Version: %2.0.13

Platform: Apache

Summary

There is a new feature in Chrome that verifies user/password entered in a form against a stolen database record. See https://www.welivesecurity.com/2019/12/12/chrome-warnings-password-stolen/ or https://security.googleblog.com/2019/12/better-password-protections-in-chrome.html for more information.

The form replay feature acts in 2 steps:

  • step1: a javascript fills fake data in the post form (just for sending the form)
  • step2: the handler sets the desired data on the fly in the post form

During step1, the data are simply "xxxx", with the same number of x than the injected value length. This value is considered as a stolen password by Chrome, and provokes an annoying warning in the browser.

Possible fixes

Computing random value of the same length for every field in the form.