Issue metadata
Sign in to add a comment
|
Security: Push notification meassages leak
Reported by
nik...@gmail.com,
Mar 16 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Push notification messages can be viewed by unauthenticated and unauthorized user when in a multi user chrome environment. VERSION Chrome Version: [49.0.2623.87] + [stable, beta] Operating System: [Ubuntu 15.10] REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace, registers, exception record] Client ID (if relevant): [see link above]
,
Mar 16 2016
+Owen for product, Miguel FYI I am going to argue that this is working as intended. For desktop users, the large benefit of Push Notifications is that there is no requirement for the site's tab to be open. I don't see why this would be different for windows— even when there are no windows at all, providing we can get the resource usage requirements in order[1]. From a technical point of view, we don't destroy Profile instances (even when there are no more open windows) so the keyed services stay alive. This includes the GCMProfileService and its connection to GCM. This does raise two questions in regards to profiles: (1) Does the user "sign out" of a profile at all? That's not how it's implemented today. (2) Should we attribute profiles on notifications somehow? The UI is very crowded as-is. I suspect that this issue also applies to many other features, including extension APIs that can run in the background (e.g. alarms, gcm). [1] 585080
,
Mar 16 2016
You don't even have to sign out of your account. It happens even when you switch to a alternate user. I don't know but i think a user should not even be able to view push messages regarding other signed in user. This raises serious issue where a system is used by many different user.
,
Mar 16 2016
Yes, but from Chrome's point of view the other profile is still active. Adrienne, Mustafa, I think this boils down to a UX/user expectation issue. WDYT?
,
Mar 16 2016
If there is an actual 'sign out' step in Chrome profiles then I imagine we should probably stop listening for push at that point, but I don't think there is any such affirmative action. Is this regarding some variant of the profile switcher where the user has to enter a username and password to access pages with the other profile? If so then it begs the question of what happens when the user clicks a notification from another profile. If not, then this doesn't seem like an issue to me.
,
Mar 17 2016
Re #5: You can sign out in settings as well as delete profiles. For those cases I agree it would make sense to stop listening for push for that profile. However if it's just closing a profile which someone could easily reopen by clicking on the profile switcher, then I think this is WAI
,
Mar 17 2016
OK, I just tested with the attached extension: A non-push notification from an extension is still displayed even if the user closes the window belonging to that profile. The behavior reported here seems consistent with other profile keyed features, so wontfixing.
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mea...@chromium.org
, Mar 16 2016Components: UI>Notifications Blink>PushAPI