Ask HN: Google Chrome is uploading my password to their password leak API?
I'm curious, I was logging into a website to download some trial software, in the mean time Chrome popped up asking if I wanted to save that password to their manager. I said 'Never' as usual, but I noticed they sent my password I typed regardless to their website url 'passwordleakcheck-pa.googleapis.com'
Anyone have any insight? This doesn't feel right.
edit: There's the likelihood it's the other way around? They're downloading a big list of leaked hashes and checking it locally...
13 comments
[ 3.3 ms ] story [ 37.3 ms ] thread> "In order to inform signed-in users about leaked credentials this " "service uploads a prefix of the hashed username, as well as the " "encrypted username and password following a successful password " "form submission. The former is a 3 bytes of the hash and doesn't " "reveal the username to the server in any way. The latter is " "completely opaque to the server. The server responds with a list " "of encrypted leaked credentials matching the prefix of the hashed " "username, as well as with a re-encypted version of the uploaded " "username and password. Chrome then reverses its encryption on the " "re-encrypted credential and tries to find it in the list of " "leaked credentials. If a match is found, Chrome notifies the user " "and prompts them to change their credentials. Re-encryption part " "is for the privacy reason. The server can't read the user's " "password. At the same time the client can't read the " "usernames/passwords of other leaked accounts but only can check " "the current one.";
For research purposes only of course. I'm sure they provisioned enough instance to handle a rather aggressive fuzzing as well seeing as this thing is surely built to stand up to the entire Chrome using internet logging in at the same time, right?
And surely there is no way whatsoever one could use this data to potentially compromise other accounts...
Or use it as a basis for birthday attacks on unreported compromised accounts. Or, set up some unique credentials in compromised systems, then checking the googleapi call for it to see if the intrusion has been reported/caught yet.
Ahhhh side channels. Yes, side channels. Fnord.
None of what you’re describing is possible. Even if it was, it would not be as useful as you think as the only leaks in that database will be public leaks that everyone can easily find if they know where to look.
The actual name I see is "passwordsleakcheck-pa.googleapis.com" passwords vs password.
Then turn off password saving in chrome settings.
The password is hashed, it doesn't hurt.
It DOES hurt.
> and with my 2TB rainbow table your password is known in 0.5 seconds.
A rainbow table is only used when there is no salt in the hash. Also, if someone sniffs on your network (and can sniff on https requests), you got much bigger problems bud.
Edit: tho I'm not sure if chromium salts the password.