When an attacker can gain access to your unlocked computer and have time to logout/login your browser, you should not expect anything on the desktop is safe. Personally I don't see this as a security bug.
They should at least have to go to an effort commensurate with installing a keylogger or something like that. Just navigating a few windows to get to see your passwords -- that's just wrong. Anything that has what's supposed to have a secure login shouldn't be exposing passwords like this.
You do not need any passwords to import all of it (Cookies/Passwords) if you are already logged in. Chrome uses Windows DPAPI to encrypt it on the disk, its automagically decrypted when logged in.
This "hack" takes all of a minute and provides access not to the data on the desktop, but to every website or web based login used, if the user relies on chrome for such things. This isn't "if a thief is physically in your data center you've already lost". This is "I went three doors down to the vending machine for a soda and Oh My God they got my bank account credit cards and all my social media"
But this is not an attacker this is anyone you don't need to compile dll
When you got one computer with several passwords to google accounts you can than sync them to your chrome browser and so on
you can steal millions of google accounts and sync it to one malicious account.
people probably doing it right now :(
I think.it's security issue I manged to "steal" my family google acount and their freinds with their permision
you can't beleive how many I got in few seconds.
so I reported as security issue....