New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 626306 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jul 2016
Cc:
mkwst@chromium.org
jww@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Gain access to personal data, functions of authorize needed internet services

Reported by grand.ma...@gmail.com, Jul 7 2016 

VULNERABILITY DETAILS
Cookies availble even if they are out of date, when Chrome browser asks to restore tabs. As well cookies avaible for authorizations, even if users did'nt select "remember me" function on websites.

VERSION
Chrome Version: 23.0.1271.97 m (and up)
Operating System: Windows


REPRODUCTION CASE

1. Login to mail, social, bank, or other website services without selecting "remember me" feature.
2. Plug out electricity cable from computer.
3. Plug electricity cable back.
4. Start computer
5. Start browser
6. Gain access to internet services where user has to be authorized.

-- If user is made to use not his own computer by, potential social exploiter may cut out electricity and make user go away from computer. Then, later when exploiter turns on computer back, he can get access to private data and etc. Can be done at home for friends, or bussines parters, internet caffe shops, and so on.

-- Chrome does not check if cookie time is expired, if it is, it is working anyway.
-- Chrome do not have logic for checking WHEN crash occuried, so it doest matter to restore tabs even after 2 years?

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]

Comment 1 by calamity@chromium.org, Jul 8 2016

Cc: jww@chromium.org mkwst@chromium.org
Components: Internals>Network>Cookies

Comment 2 by mkwst@chromium.org, Jul 8 2016 

Cookies do indeed persist across browsing sessions by default. A site's "remember me" option only controls the logic that site uses when determining what expiration date to give cookies it sets, and perhaps if the cookies a user presents when making requests are valid. This is expected behavior.

Chrome does offer you some control over this locally. For example, you could get closer to the state I think you're interested in by choosing to "Keep data only until you quit your browser" from the "Cookies" section of chrome://settings/content, and choosing "Open the new tab page" from the "On Startup" section of chrome://settings/.

(It's not clear from the bug description, but if it's the case that Chrome is sending expired cookies up to the server on request, then that's a real bug that we should address. Leaving this open to confirm that point.)

Comment 3 by ta...@google.com, Jul 13 2016

Status: WontFix (was: Unconfirmed)
I'll close this bug. If Chrome doesn't respect cookie's expiration, please file a new bug to us. 

> -- If user is made to use not his own computer by, potential social exploiter may cut out electricity and make user go away from computer. Then, later when exploiter turns on computer back, he can get access to private data and etc. Can be done at home for friends, or bussines parters, internet caffe shops, and so on.

Please this: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

Thank you!

Comment 4 by wfh@chromium.org, Jul 13 2016

Labels: -Restrict-View-SecurityTeam
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 19 2016

Labels: allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment