CVE-2010-0556 in Chrome
Summary
by MITRE
browser/login/login_prompt.cc in Google Chrome before 4.0.249.89 populates an authentication dialog with credentials that were stored by Password Manager for a different web site, which allows user-assisted remote HTTP servers to obtain sensitive information via a URL that requires authentication, as demonstrated by a URL in the SRC attribute of an IMG element.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2026
This vulnerability in Google Chrome versions prior to 4.0.249.89 represents a critical information disclosure flaw that exploits the browser's authentication dialog handling mechanism. The issue occurs within the browser/login/login_prompt.cc component where the authentication dialog incorrectly populates credentials from the Password Manager for one website when another website requires authentication. This cross-site credential leakage allows malicious HTTP servers to craft specific URLs that can trigger the display of stored credentials from different domains, creating a significant security risk for users who have saved passwords for multiple sites.
The technical implementation of this vulnerability leverages the SRC attribute of an IMG element to demonstrate the credential leakage. When a remote HTTP server constructs an image tag with a malicious URL in the SRC attribute that requires authentication, the browser's login prompt component fails to properly isolate credentials between different host domains. This flaw specifically affects the password manager integration where stored credentials are automatically populated into authentication dialogs without proper domain validation. The vulnerability requires user interaction to trigger since the user must navigate to a page containing the malicious image, but once triggered, it provides attackers with access to potentially sensitive authentication information.
From an operational impact perspective, this vulnerability exposes users to credential theft across different websites, potentially allowing attackers to compromise accounts on multiple domains. The attack vector demonstrates a failure in browser security boundaries where credentials stored for one website are incorrectly made available to another. This represents a violation of the principle of least privilege in web browser security architecture, where credential storage and retrieval mechanisms should maintain strict separation between different domains. The vulnerability affects the browser's trust model and undermines user confidence in password manager functionality.
The flaw aligns with CWE-200, which describes information exposure, and specifically relates to improper access control in web applications. It also maps to ATT&CK technique T1531, which covers "Modify Authentication Process" through credential access mechanisms. The vulnerability demonstrates poor input validation and improper credential isolation within the browser's authentication subsystem, creating a pathway for attackers to exploit the password manager's functionality against unintended targets. This type of flaw represents a fundamental breakdown in browser security architecture where the boundaries between different web contexts are not properly enforced.
Mitigation strategies should focus on implementing proper domain validation before credential population in authentication dialogs. Browser vendors should ensure that stored credentials are only presented for the specific domain requiring authentication, with strict enforcement of cross-origin security policies. Users should be advised to regularly review their saved passwords and avoid saving credentials for sensitive sites on browsers that may be vulnerable. The patch for this vulnerability in Chrome 4.0.249.89 addressed the credential isolation mechanism by implementing proper domain boundary checking before credential population. System administrators should monitor for affected browser versions and ensure timely updates to protect against this credential leakage attack vector.