Attackers can view user's history, bookmarks, and other Chrome settings once they can access the user's profile folder
Reported by
duc.n...@gmail.com,
Oct 12 2016
|
|
Issue descriptionPRIVACY ISSUE Attackers can view user's history, bookmarks, and other Chrome settings once they can access the user's profile folder. VERSION: Chrome Version: [53.0.2785.143] + [stable] Operating System: [Windows 7/8/10 and XP/Vista maybe] REPRODUCTION STEPS 1. Attackers access to user's profile folder (it's not too hard, by default, Windows does not encrypt this folder) 2. Attackers copy user's profile folder (C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\) to their profile folder (C:\Users\<ATTACKERS>\AppData\Local\Google\Chrome\User Data\) 3. Attackers open Chrome, and now they can view user's history, bookmarks and other settings. Fortunately, attackers cannot view user's password, or automatically sign-in to user's web account (Gmail, Facebook,...) CONCLUSION Please encrypt the private data, so even when attackers are able to access user's profile folder, they still cannot read/use that. Thank you so much. |
|
►
Sign in to add a comment |
|
Comment 1 by battre@chromium.org
, Oct 12 2016Status: WontFix (was: Untriaged)