New issue
Advanced search Search tips

Issue 596017 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2016
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

A theoretical security threat presented for the Chrome reward program

Reported by loubier....@gmail.com, Mar 18 2016 
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Steps to reproduce the problem:
Considering it is a basically a theoretical threat, I cannot reproduce it at this moment. 

What is the expected behavior?
Take a mesure to prevent it before it is discovered.

What went wrong?
Nothing wrong so far, because I didn't hear about it the news, but I could hear about it one dayt if the threat is not covered by Google. Please read the document attached.

Did this work before? N/A 

Chrome version: 49.0.2623.87  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 21.0 r0

It is a theoretical security threat, but be assured it might be a serious threat if it is not covered.
Google Security.doc
25.0 KB Download

Comment 1 by mea...@chromium.org, Mar 18 2016

Labels: Needs-Feedback
Status: WontFix (was: Unconfirmed)
Pasting from the doc:
"""
Hi there,

I am a computer analyst and I have worked on developpement and maintenance systems in my carreer.

My employer is Revenu Quebec, a Government of Quebec organisation.

Lately, I was asked to join the team that is responsible of the security in the organisation. System security was completely new for me.

My first job was to check the security of a new system developped by the organisation.

One of the first thing I did on my new job, was to meet the person responsible of the new system. I wanted him to show me an overview ot the system; how it was basically working. So, we met, and the guy started the presentation. 

As he was surfing on the application, I was asking questions. After only a few minutes, I asked a simple question “In that case, did you provide security?”.  My college looked at me, amused, and answered “No, we didn’t”; the case was noted for correction.

Yesterday, I read in the news that Google increased its reward amount and this reading reminded me that failure found in our new system and I wondered if Google was protected in that kind of security issue. I pretend a huge organisation like Google is protected, but it is not guaranteed at all...

Considering there is a reward about the discover of a security failure, all I can say, is that the threat is basically a theoretical one. The only way to verify if it is covered, is to discuss about it with a person who is very close to the developpement of a system; like the chief developper.

Have a nice day.

Mario
Levis, Quebec, Canada
"""

Thanks for the report. Without any details about the vulnerability or a proof of concept, there isn't anything actionable for us to do here so I'm closing this bug. Feel free to add them to this bug and we are happy to reopen.
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 25 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment