New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 595214 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Mar 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Push notification meassages leak

Reported by nik...@gmail.com, Mar 16 2016

Issue description

VULNERABILITY DETAILS
Push notification messages can be viewed by unauthenticated and unauthorized user when in a multi user chrome environment.

VERSION
Chrome Version: [49.0.2623.87] + [stable, beta]
Operating System: [Ubuntu 15.10]

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]

 
prop.html
454 bytes View Download

Comment 1 by mea...@chromium.org, Mar 16 2016

Cc: peter@chromium.org f...@chromium.org
Components: UI>Notifications Blink>PushAPI
Text from the attachment:

"Sign into chrome with a user and subscribe to push notification from a site,lets say, <a href="http://Facebook.com">Facebook.com</a></li>
<li>Switch to a new user and log in</li>
<li>Now when push notification arrives it is visible for the new user.</li>"

I'm not sure what the desired behavior here, do we allow push notifications if the user signs out?

Comment 2 by peter@chromium.org, Mar 16 2016

Cc: miguelg@chromium.org owe...@chromium.org
Labels: OS-Linux OS-Mac OS-Windows
+Owen for product, Miguel FYI

I am going to argue that this is working as intended.

For desktop users, the large benefit of Push Notifications is that there is no requirement for the site's tab to be open. I don't see why this would be different for windows— even when there are no windows at all, providing we can get the resource usage requirements in order[1].

From a technical point of view, we don't destroy Profile instances (even when there are no more open windows) so the keyed services stay alive. This includes the GCMProfileService and its connection to GCM.

This does raise two questions in regards to profiles:

  (1) Does the user "sign out" of a profile at all? That's not how it's implemented today.
  (2) Should we attribute profiles on notifications somehow? The UI is very crowded as-is.

I suspect that this issue also applies to many other features, including extension APIs that can run in the background (e.g. alarms, gcm).

[1] 585080

Comment 3 by nik...@gmail.com, Mar 16 2016

You don't even have to sign out of your account. It
happens even when you switch to a alternate user. 
I don't know but i think a user should not even be able to view push messages regarding other signed in user. This raises serious issue where a system is used by many different user. 

Comment 4 by peter@chromium.org, Mar 16 2016

Yes, but from Chrome's point of view the other profile is still active.

Adrienne, Mustafa, I think this boils down to a UX/user expectation issue. WDYT?

Comment 5 by owe...@chromium.org, Mar 16 2016

If there is an actual 'sign out' step in Chrome profiles then I imagine we should probably stop listening for push at that point, but I don't think there is any such affirmative action.

Is this regarding some variant of the profile switcher where the user has to enter a username and password to access pages with the other profile? If so then it begs the question of what happens when the user clicks a notification from another profile. If not, then this doesn't seem like an issue to me.

Comment 6 by f...@chromium.org, Mar 17 2016

Re #5: You can sign out in settings as well as delete profiles. For those cases I agree it would make sense to stop listening for push for that profile.

However if it's just closing a profile which someone could easily reopen by clicking on the profile switcher, then I think this is WAI

Comment 7 by mea...@chromium.org, Mar 17 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
OK, I just tested with the attached extension: A non-push notification from an extension is still displayed even if the user closes the window belonging to that profile.

The behavior reported here seems consistent with other profile keyed features, so wontfixing.


notifications_test.zip
2.5 KB Download
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment