New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 618581 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Privacy issue about the option of saving passwords and adding a person in the Google Chrome browser

Reported by preetham...@gmail.com, Jun 9 2016

Issue description

This template is ONLY for reporting privacy issues. Please use a different
template for other types of bug reports.

Please see http://www.chromium.org/Home/chromium-privacy for further
information.


PRIVACY ISSUE:
Thre's a privacy issue regarding the saved passwords and adding a person to the browser in Google Chrome browser.

There's an option in the Chrome Browser settings named as 'Let anyone add a person to Chrome' and with that thing enabled anyone who has access to someone's device can add themselves to the browser in someone's device.

And, Not noticing that a person's been added to their browser, whenever they sign in to any site including popular sites like Facebook, Instagram, etc., the Chrome Browser displays a notification as if to save the credentials. So, If that person accepts the request to save the credentials, The credentials can be accessed by the person who has added themselves in that browser from anywhere from any device.


VERSION:
Chrome Version: Every Version Of Chrome
Operating System: Every Operating System

REPRODUCTION STEPS:
I think this is one of the major privacy issue in the Google Chrome browser. Anyone can add themselves into someone's browser by just having access to their device and whenever their credentials are saved, The person who has added themselves can access their usernames and passwords from their own device from passwords.google.com/ 


 
Components: UI>Browser>Passwords
I am not sure I understand what you are saying. Is it the following?

1) You walk up to somebody else's computer and setup Chrome sync using your personal account. (https://support.google.com/chrome/answer/185277)

2) That person saves a password in Chrome.

3) The password is synced to your account and becomes visible at passwords.google.com.

If this is the case, then I think that this is outside of our security threat model. Anybody who can walk up to your computer could also install a virus/trojan, keylogger, ... There is not much we can do if your computer is not protected by password by the operating system and locked if you are not using it.

Comment 2 by vabr@chromium.org, Jun 9 2016

Components: Security Services>Sync
Labels: Hotlist-Polish Type-Bug
Status: WontFix (was: Untriaged)
I understand the description in the same way as battre@, and I agree with the assessment in #1. The fact that anybody with access to your machine can set up sync and get the profile data that way is known. It is not a security issue, because this is outside of Chrome's threat model. A person with an access to the machine can do much more than misuse sync. The risk of sync being misused is lower than the benefits its offers, so there are no plans to change this situation.

I am adding the sync and security components for those teams to keep me honest.

Sign in to add a comment