Security: Incognito history is traceable by other apps.
Reported by
sasidhar...@gmail.com,
May 29 2016
|
|||||
Issue descriptionPrivate/Adult content watched in incognito mode being displayed in CM security app as warning 'adult contect' .. This makes the purpose of incognito mode useless . Replication steps: Watch xvideos in incognito(careful here
,
May 31 2016
I believe that app has necessary permissions to view other app activity and Chrome can't defend itself in such a scenario. Adding privacy label and dropping from security queue.
,
May 31 2016
,
May 31 2016
No I doesn't .. It's just after the recent update..
,
May 31 2016
Can u check it on your end once... it's seems to be a serious issue. Like how can someother app trace chrome history when chrome itself is not supposed to.
,
Jun 3 2016
Could you explain which CM Security app you have installed so that I can investigate? There seem to be several ones with different permissions.
,
Jun 3 2016
Attached the app info screenshot from my phone. Am not updating the app as the new updates might cover up this issue. This isn,t accepted as u can clearly see i have given any permision on my browing related stuff.
,
Jun 3 2016
typo - meant to say "I havenot* given any permission"
,
Jun 7 2016
We are still trying to understand this. The last screenshot shows a search for xvideos, not a visit to the site. Is it possible that you searched for xvideos in regular mode and then opened the website in incognito mode?
,
Jun 7 2016
https://drive.google.com/file/d/0BzndUIYsEMcSN0R4NDV3c3Jlclk/view?usp=drivesdk Above is the link to the video that I have recorded on my phone... hope that helps
,
Jun 7 2016
Sorry for the nude content... tried my best to minimize it.
,
Jun 8 2016
Thank you very much. I have reached out to our security experts again.
,
Jun 8 2016
Another follow up question. Have you rooted your device or is this a genuine Android?
,
Jun 8 2016
That is genuine Android .. Did not root my phone
,
Jun 13 2016
Just am curious here. Any progress so far. Did we get the root cause. Need any inputs?
,
Jun 13 2016
Some people are investigating in the background. I'll update the ticket as soon as there is news.
,
Jun 13 2016
Thanks ... is this replicable, I mean are u guys able to replicate this issue.
,
Jun 13 2016
not always but often
,
Jun 13 2016
Ok thanks....
,
Jun 15 2016
Is the status still 'unconfirmed'. Isn't it a valid bug.
,
Jun 15 2016
,
Jun 15 2016
Thanks for the quick updates... Just I have one more doubt left .. Can this be considered eligible for a bounty.
,
Jun 16 2016
Here is what the situation seems to look like. We have not found any evidence that browsing history entries from incognito mode are left by Chrome. However, we have observed that CM Security uses the accessibility interface of Android to monitor the Chrome URL bar. When you have enabled the accessibility APIs you should have seen a scary warning explaining you that software can see what your doing on the phone. It is possible that CM Security monitors and records your browsing history in incognito mode and offers you to delete the records from their own database. When you disable the accessibility API access, you should notice that CM Security does not warn you about traces left in your browsing history. There is an ongoing debate whether Anti Virus software is snakeoil, and whether it is harming users more than helping. I am not going to comment on that. I have sent an email to cmsecurity@cmcm.com on June 13 but haven't heard back. At this point, we see no indication that Chrome or Android are doing anything wrong and leaving traces.
,
Jun 16 2016
Ok .. Thanks
,
Jun 16 2016
But shouldn't this "CM Security uses the accessibility interface of Android to monitor the Chrome URL bar." thing be restricted in incognito mode as whatever done in incognito has be incognito.
,
Jun 16 2016
No, in that case we would deprive all users that require accessibility features of using incognito mode.
,
Jun 21 2016
Got any reply from CMsecurity on this
,
Jul 7 2016
I have received a response from CM Security today and they will stop this behavior in the next release. Thanks for reporting this.
,
Jul 7 2016
Thanks for the update.. The only reason for reporting this is that I was expecting it to be major privacy issue, as some other app was making misuse of a feature which I guess should not even be provided in the first place without my permission or at least notified. But the way this issue was handled just makes me feel unsafe and may be lose trust in one of the few tech companies that I believed were there to make a difference. And I guess I am wrong.. Anyways again thanks for your time. And hopefully in the near future at least please try to be incognito when you say incognito... |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by sasidhar...@gmail.com
, May 29 2016