New issue
Advanced search Search tips

Issue 609587 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: May 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: ----



Sign in to add a comment

I can get the information of nearly everyone in my school and their parents

Reported by tfoste...@waynelocal.net, May 5 2016 
This template is ONLY for reporting privacy issues. Please use a different
template for other types of bug reports.

Please see http://www.chromium.org/Home/chromium-privacy for further
information.


PRIVACY ISSUE
At my school, students use many of the same surface computers with Google Chrome to work on math and other school related work. Unfortunately none realize that unless they Manually logout of the browser, all of their private information is available to any student. I myself have successfully logged on to peers' twitter, Facebook, and google accounts by accessing countless passwords and I even could access family members' passwords if I desired. I notified many of my classmates of the danger and have systematically gone through the computers to remove my account from the computers. The issues comes in the fact that the browser allows anyone to go into advanced settings and access the "manage passwords" aspect of the browser without requiring entering the google password even if the sign-in credentials is out of date. This concerns me because I have even noticed some parents bank account information and their google account information from which someone could likely access those passwords as well. I thought it should be protected much more than it is. I am certain this is the case for may other schools, and I fear for students' and their parents' sensitive information. I would believe this would be a very easy aspect to solve by simply requiring a password second time to the "manage passwords" setting. Especially if the sign-in credentials are out of date.

VERSION:
Chrome Version: [50.0.2661.94] + [stable, beta, or dev]
Operating System: [Windows 8.1]

REPRODUCTION STEPS
On a computer that does not have a password set up, open up the Chrome browser that another person has previously logged on to, even if it has been years since they used the browser.

Go into settings and to advanced settings to click on "manage passwords."

You will not need to reenter any passwords, the computer will just show you the passwords when you click the "show button" next to the password.

Select which accounts and passwords you want and you now have access to many of their sensitive information.

Most of the time people use the same password, so once you have a few, you can usually get into anything you want of theirs. Kinda scary

Comment 1 by battre@chromium.org, May 6 2016

Status: WontFix (was: Untriaged)
I think that the setup in your school is fundamentally dangerous. Not all students should use the same operating system account on a computer. You may not only leak your passwords, but also sessions (i.e. after forgetting to logout of a website), browsing history, downloaded files, etc.

If your school's admin is not able to fix that, maybe they can at least take a look at enterprise policies. For example, they can disable the password manager by policy
https://www.chromium.org/administrators/policy-list-3#PasswordManager

You propose to solve this "by simply requiring a password second time to the "manage passwords" setting". This is already the case on Windows, but only if the machine has a windows password configured.

Also be aware of this: https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools-

So, to re-iterate. I think that your school should reconsider their setup.

Sign in to add a comment