Anyone With Local Access Can Steal All of Google Chrome’s Saved Passwords and More
1. Go to chrome://settings/manageProfile
2. Click on the Edit person or chrome://settings/people
3. Sign Out.
4. Click "Sign in to Chrome." and use another Gmail account.
5. Chrome notes that another user (was previously using Chrome and you choose between "This Wasn't Me" or "This Was Me"
6. Choose "This Was Me."; “Add my Bookmarks, History, Passwords, and other settings to the new Gmail account.”
7. Click continue.
8. Sign in with the Gmail account used earlier and browse to chrome://settings/?search=password
All of the other user's passwords, history, and bookmarks are now captured and available without ever knowing what their password was. A simple fix to this “feature” would be to challenge a user for the original account password before allowing the merge.
Security researchers reported this to Google and their response was “Yes, given unrestricted access to a user’s account, you can steal data from it; Status: WontFix”