New issue
Advanced search Search tips

Issue 615136 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: May 2016
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

No method to sign-out of Chrome in large organizations

Reported by rayn...@hdsb.ca, May 26 2016

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Steps to reproduce the problem:
1. Sign in to chrome
2. Close browser
3. Next user who opens browser has access to user's chrome account, saved passwords, etc.

What is the expected behavior?
There needs to be some way to totally sign out of Chrome similar to signing out of your Google Account. In larger organizations with multiple people using the same machine it is a security risk.

What went wrong?
If a user doesn't fully sign out of their network account and has signed into chrome, the next person who sits down at the computer has full access to their Chrome settings (including saved passwords).

Did this work before? N/A 

Chrome version: 50.0.2661.102  Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 21.0 r0
 

Comment 1 by mea...@chromium.org, May 26 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
Thank you for the report.

Physical access such as this is outside Chrome's threat model. Please see our FAQ which also mentions sharing the same computer with multiple people: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

In your case, the best practice is to use separate OS accounts for each user.

Comment 2 by rayn...@hdsb.ca, May 26 2016

You can fully log out of chrome with a chromebook however. I don't see why
it can't be implemented in a full computer.

Comment 3 by mea...@chromium.org, May 26 2016

On ChromeOS, Chrome account is the OS account so when you log out of Chrome, you also get logged out of the OS.

It's different on other platforms. Other applications run as the same user as Chrome, and there is no way for Chrome to defend itself from those.
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment