Thanks for your report!

Could you please provide a detailed step-by-step instruction on how to reproduce every of the issues you've described (RCE, CSRF bypass, etc.)?

This is to Improve my report

My antivirus warns me that chrome app has invalid name of certificate. Either the name is not on the allowed list or was explicity excluded. I tested the domain health of the given url. cdn.taboolasyndication.com
http://mxtoolbox.com/domain/cdn.taboolasyndication.com/
 
I also tested the domain health of the certificate issuer   a248.e.akamai.net

http://mxtoolbox.com/SuperTool.aspx?action=http%3a%2f%2fa248.e.akamai.net%2f&run=toolpage#

http://mxtoolbox.com/domain/a248.e.akamai.net/

Weak TLS leaks sentive infos which allows the remote attackers to attack the clients.

These are the vulnerabilities I discovered and Step By step reproduction 

1. Injection flaw result classic failure from untursted input. It happens when I pass unfiltered data to the SQL server (SQL INJECTION), to the browser XSS, LDAP server (LDAP INJECTION) or anywhere else. An attacker can inject commands to these entities which result loss of data and hi jacking of client's browser.

2. Broken Authentication This is a collection of multiple problems that might occur during broken authentication, but they don’t all stem from the same root cause.

3. An attacker gives your web application JavaScript tags on input. When this input is returned to the user unsanitized, the user’s browser will execute it. It can be as simple as crafting a link and persuading a user to click it, or it can be something much more sinister. On page load the script runs and, for example, can be used to post your cookies to the attacker.

4. This is a classic case of trusting user input and paying the price in a resulting security vulnerability. A direct object reference means that an internal object such as a file or database key is exposed to the user. The problem with this is that the attacker can provide this reference and, if authorization is either not enforced (or is broken), the attacker can access or do things that they should be precluded from.

For example, the code has a download.php module that reads and lets the user download files, using a CGI parameter to specify the file name (e.g., download.php?file=something.txt). Either by mistake or due to laziness, the developer omitted authorization from the code. The attacker can now use this to download any system files that the user running PHP has access to, like the application code itself or other data left lying around on the server, like backups. Uh-oh.

Another common vulnerability example is a password reset function that relies on user input to determine whose password we’re resetting. After clicking the valid URL, an attacker can just modify the username field in the URL to say something like “admin”.

Incidentally, both of these examples are things I myself have seen appearing often “in the wild”.

5.CRSF Cross-site Request Forgery
In the case of CSRF, a 3rd party site issues requests to the target site (e.g., your bank) using your browser with your cookies / session. If you are logged in on one tab on your bank’s homepage, for example, and they are vulnerable to this attack, another tab can make your browser misuse its credentials on the attacker’s behalf, resulting in the confused deputy problem. The deputy is the browser that misuses its authority (session cookies) to do something the attacker instructs it to do.

6. Akamai Ghost Security vulnerability 
Stack-based buffer overflow in the GetPrivateProfileSectionW function in Akamai Technologies Download Manager ActiveX Control (DownloadManagerV2.ocx) after 2.0.4.4 but before 2.2.1.0 allows remote attackers to execute arbitrary code, related to misinterpretation of the nSize parameter as a byte count instead of a wide character count.

Leaks can also came from my gmail here are the sings that my emails are not sent using tls and leak data. 

Delivered-To: cmarktan15@gmail.com
Received: by 10.157.35.244 with SMTP id t107csp849703otb;
        Tue, 18 Oct 2016 01:41:56 -0700 (PDT)
X-Received: by 10.36.58.212 with SMTP id m203mr13271993itm.31.1476780116758;
        Tue, 18 Oct 2016 01:41:56 -0700 (PDT)

Tls attackers can use this weakness

http://www.ebay.com/itm/Hatchimals-IN-HAND-READY-TO-SHIP-Interactive-Creature-Penguala-Pink-SOLD-OUT/302107389014?hash=item302107389014&mi_u=44415223382

This was an email sent to me. 

Deleted: mail frpm ebay.jpg 200 KB

	mail frpm ebay.jpg 200 KB View Download

Reproduction Steps.

I checked the webpage and I figured out this mis configuration bug of $==0.
This welcomes all types of vulnerabilities. This makes me like a walking experiment for vulnerabilities. My computer's system was already compromised by now. The unknown name space apps caused this all. .IO. 

This configuration was used by the attacker to get my bandwith and corruput my computer memory.

As with the reporter's other bugs ( Issue 656031  and  Issue 656229 ), this is simply a list of types of vulnerabilities in computer software and not an actionable report of a vulnerability in Chrome. This report references bugs in ActiveX controls (which do not run in Chrome) and TLS configuration weaknesses in CDNs (which are not bugs in Chrome). GMail uses TLS via HTTPS for all users and uses TLS for mail transmission to the extent possible.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot