New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 601674 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2016
Cc:
ya...@nightwatchcybersecurity.com
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Code reviews for security or private bugs should be private as well

Reported by resea...@nightwatchcybersecurity.com, Apr 8 2016 
Right now code reviews are public even if the underlying bug is private.

Examples:
https://codereview.chromium.org/1867553002/
https://bugs.chromium.org/p/chromium/issues/detail?id=600232

And our bug:
https://codereview.chromium.org/1827303002
https://bugs.chromium.org/p/chromium/issues/detail?id=596354

It would be trivial to write a program that parses all code reviews, looks for bug links and hits them to check if they are private or not. This can result in something along the following which happened to FireFox:

http://www.computerworld.com/article/2980745/web-browsers/mozilla-admits-bug-tracker-breach-led-to-attacks-against-firefox-users.html

Comment 1 by kenrb@chromium.org, Apr 8 2016

Status: WontFix (was: Unconfirmed)
Thanks for the suggestion.

Unfortunately there isn't a very good solution to this problem. I will note that both of the code reviews you linked landed on trunk within 24 hours of being posted, so somebody scanning commits (and then checking if the code reviews were private) would have become aware of a vulnerability fix less than a day later than they would have by scanning code reviews looking for private bugs.

This is a risk we inherently accept by being an open source project, and our best mitigation is to have fast release cycles and frequent merges of security fixes, minimizing user exposure to security flaws as best we can.
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 16 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 8 by infe...@chromium.org, Mar 9 2017

Cc: ya...@nightwatchcybersecurity.com

Sign in to add a comment