New issue
Advanced search Search tips

Issue 666470 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Nov 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Being able to access Chrome Remote Desktop computers when the Chrome User's password was changed.

Reported by oscar.bj...@gmail.com, Nov 17 2016

Issue description

VULNERABILITY DETAILS
I was able to access a remote desktop computer through one of my chrome profiles even
after the password of the chrome profile was changed.

VERSION
Chrome Version: 54.0.2840.98 + stable
Operating System: OSX El Capitan (Version 10.11.6 (15G31) )

REPRODUCTION CASE
Open REPRODUCEBUG.txt.
 
REPRODUCEBUG.txt
547 bytes View Download

Comment 1 by mea...@chromium.org, Nov 18 2016

Components: Services>Chromoting
Owner: sergeyu@chromium.org
Status: Assigned (was: Unconfirmed)
sergeyu: Could you please take a look at this security bug and reassign as appropriate? Thanks.
Labels: Security_Impact-Stable
Owner: ----
Status: Untriaged (was: Assigned)
It's not clear what the problem is. Steps in REPRODUCEBUG.txt say the following:
6. Log into the new profile again.
7. Without logging in with the email, access the Chrome Remote Desktop app.

These two steps contradict each other. The app is part of the chrome profile, so once you log in into the profile the app gets the new credentials as well. Tried reproducing the bug, and I see that password change is handled appropriately. 

Comment 4 by mea...@chromium.org, Nov 21 2016

Labels: Needs-Feedback
oscar.bjure98: Can you please clarify the question in comment #3?
Status: WontFix (was: Untriaged)
Please re-open this if you have more information to provide. Otherwise, WontFixing for now. :)
Project Member

Comment 6 by sheriffbot@chromium.org, Mar 7 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment