Google Chrome Passkeys Sensitive Information Leak Vulnerability

A vulnerability in the Passkeys implementation of Google Chrome, affecting versions prior to 140.0.7339.80, allowed local attackers to access potentially sensitive information through debug logs. This issue arose because the master key, which encrypts all passkeys, was exposed in plain text within the device log. The vulnerability could also be exploited by leaking this information via the Chrome feedback tool on ChromeOS to Google's backend servers.

Impact

The vulnerability could lead to unauthorized access to sensitive information, specifically the unencrypted master key that encrypts all passkeys, which could be exploited to manipulate or impersonate passkey-related actions.

Reproduction

To reproduce this vulnerability, create a new Google account or use an account that has not saved a passkey to Google Password Manager (GPM). Register a passkey using the GPM, then navigate to 'chrome://device-log' and select 'FIDO' as one of the types. The unencrypted Security Domain Key (SDK), which is the master key encrypting all passkeys, will be visible in the log. This key can also be leaked through the Chrome feedback tool on ChromeOS, unless redacted by a specific logic that could be altered.

Remediation

Users should update to Google Chrome version 140.0.7339.80 or later, where this vulnerability has been fixed.