New issue
Advanced search Search tips

Issue 600684 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 543851
Owner: ----
Closed: Apr 2016
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

clipboard works on lockscreen

Project Member Reported by jannh@google.com, Apr 5 2016

Issue description

UserAgent: Mozilla/5.0 (X11; CrOS x86_64 7834.66.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.111 Safari/537.36
Platform: 7834.66.0 (Official Build) stable-channel falco

Steps to reproduce the problem:
1. log in on Chromebook
2. copy "foobar" into the clipboard (type it into a textbox, CTRL+A, CTRL+X)
3. lock the screen (click in the bottom-right corner, click the lock symbol)
4. press CTRL+V

What is the expected behavior?
No interaction with the clipboard should be possible when the screen is locked.

What went wrong?
The clipboard contents are pasted into the password field, revealing the length of the clipboard contents.

If a user has his password in the clipboard while the screen is locked (yes, that's very unlikely), this would allow the screen to be unlocked. If at some point a text field is added anywhere on the lockscreen, this would probably also allow an attacker to see the clipboard contents of a locked machine.

Did this work before? N/A 

Chrome version: 49.0.2623.111  Channel: stable
OS Version: 7834.66.0
Flash Version: Shockwave Flash 21.0 r0

I think that the current impact of this is low severity or below.
 

Comment 1 by kenrb@chromium.org, Apr 5 2016

Mergedinto: 543851
Status: Duplicate (was: Unconfirmed)
This was discussed a few months ago and closed as WontFix, but its not clear they had fully considered the implications of the behavior. It is probably worth changing.
Labels: allpublic
Project Member

Comment 3 by sheriffbot@chromium.org, May 6 2017

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment