Issue metadata
Sign in to add a comment
|
Security: Unexpected credential sharing
Reported by
gedanken...@gmail.com,
Oct 23 2016
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Please provide a brief explanation of the security issue. VERSION Chrome Version: [54.0.2840.59 (64-bit)] + [stable] Operating System: [Ubuntu 16.04.1 LTS] User 1 signs in https://drive.google.com saves the password and logs out afterwards. User 2 sings in, in chrome and is now able to login in the account of user 1 from everywhere he wants. reproduced on several different computers/os
,
Oct 24 2016
user 1 uses computer 1 opens chrome , goes to https://drive.google.com/ ands signs in. chrome asks to save the password and user 1 stores it. now he logs out of the website https://drive.google.com/. user 2 uses also computer 1 and opens chrome and signs in into the user profile in chrome. he is now able to acess the account from computer 1 and all other computers where he signs into the user profile in Chrome. it doesn matter if it is a linix system, mac osx or windows system.
,
Oct 31 2016
> and signs in into the user profile in chrome Could you clarify a bit more?: User 2 signs into user2's profile or user1's profile? > he is now able to acess the account from computer 1 and all other computers where he signs into the user profile in Chrome Did you mean user2 can access user1's drive.google.com account from any other computer? Thanks
,
Oct 31 2016
User 2 signs into user2's profile. yes i mean user2 can access user1's drive.google.com account from any other computer
,
Nov 1 2016
I suspect what's happening is that user 1 is saving their password in the default profile, and then user 2 is using that same profile and enabling syncing, thus syncing user1's saved password to all of user2's other logged-in chrome instances. To avoid that, each user should have their own account in the OS, and should not share a profile. In general this is WAI.
,
Nov 1 2016
so this is a feature and no security issue? that sounds like "to avoid that, each user should have their own computer, and should not share it" -> what would be the solution for many security issues. if this is final. plz close the issue.
,
Nov 1 2016
Yes, if you share your OS-login account, all of your local data is accessible to another user. This includes locally saved passwords.
,
Feb 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 24 2016Summary: Security: Unexpected credential sharing (was: Security: account taking over)