Issue metadata
Sign in to add a comment
|
Security: Logging into Bank of America account using A's credentials logs the user into B's Account (both A's and B's credentials are stored in chrome)
Reported by
rentalas...@gmail.com,
Jul 26 2016
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Opening bank of america site in chrome by providing my credentials (saved in chrome via cookie) opens my spouse's account (also stored in chrome via cookie). VERSION Chrome Version: [52.0.2743.82 m] + [stable] Operating System: [Windows 7 Enterprise, Service Pack 1] REPRODUCTION CASE 1) Opened https://www.bankofamerica.com/ in chrome where my credentials are saved. 2) When I click on "Sign In", my spouse's bank of america account is opened, instead of mine (her credentials are also saved in chrome browser for bank of america account), which I think is a security issue. I have also attached a video demonstration for your reference. Regards, Srikanth
,
Jul 26 2016
Sorry, upon watching the video, it looks like this bug has to do with BoA's saved password feature and not Chrome's password manager. This is most likely a bug in bankofamerica.com. Can you report this there instead? If it does end up being a bug in Chrome, then their developers are likely in a better position to pinpoint exactly what is going wrong here.
,
Nov 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by rickyz@chromium.org
, Jul 26 2016