Issue metadata
Sign in to add a comment
|
Security: Login without password asked in a previously logout gmail
Reported by
alr1...@gmail.com,
Nov 24 2016
|
||||||||||||||||||
Issue descriptionDear Google Security team, I have found a way to login a gmail account which was previously logged-out so that the user thinks no one can access his personal mail (and datas) without his password. This is tested using chrome on windows10 but I believe the issue is not dependent on this specific situation. This happens when the user previously used Drive (other google-linked page shall work). Basically, once gmail is logout a password is required. But in this situation, you can still access drive without a password (the password as been stored ).Than, from drive , you can than directly access gmail and amazingly, no password is asked and access is directly given while the user could check that a password was required if you access directly. There are other similar way to avoid giving a password by accessing one google page and going from there to another which is supposed to be locked. (When at he same time opening a webpage still requite a password on this specific page... which is very surprising) Any user has a false sens of protection which could lead to major issues. I guess, this breach is so trivial that it can be used by anyone accessing temporary / stealing the computer of someone you believe his gmail infos are safe.This false sense of security is an huge issue for the whole community and n particular the non-geeks. I believe this issue is major and shall be rewarded with the maximum amount google gives to security breach findings as it is direct and easy to implement, with major consequences. I would like to have around 20% of the award given to charities (can i choose one ? ) in this process upon understanding how it works precisely. Your faithfully. Arnaud LR
,
Nov 24 2016
Thanks for prompt coming back Version 54.0.2840.99m you start with having gmail and drive logged in in two tab (for example ) - you close the drive tab (but don't logout) - you logout from gmail and close the tab - once you try to open a tab with gmail, a password is asked so you believe your data are safe. - but if you open a drive tab no password is asked - from there if you click on the gmail icon once going in the "9 small square icon" in the up right of the drive screen you are prompted to gmail with no password to input So basically, closing gmail is not enough to have it openable without a password input.... And this is reboot dependant : you can logout, close your laptop, have it stolen and the thief who can easily break the windows password can open you gmail....simply by going to drive first....
,
Nov 24 2016
Here is the movie recorded with camtasia with how it happens
,
Nov 24 2016
Thanks for this. I cannot open the recording file to verify your actions; can you possibly export it in MP4 format rather than TREC format?
,
Nov 25 2016
In the previous video you see clearly that the owner of the gmail account does believe that is is log of but in fact he is not as it is still possible to "enter his account" by entering into drive and move in between google pages from there. I guess most people believing that they have closed there account are vulnerable to being hacked by the mean And this way of "hacking" does not even require any computing skills..
,
Nov 25 2016
I think I understand what is going on. From your video, I can see that when you open "Gmail", you are actually opening "www.gmail.com/intl/fr/mail/help/about.html", which is the About page for Gmail. Clicking on "Se Connecter" always opens the login page, since it doesn't go straight to www.gmail.com. What happens when you go to just mail.google.com? Or www.gmail.com? I believe that it would just open up your logged in email. It is a feature of Gmail (and many other sites, like Facebook) when you close the tab but don't log out, you can tell the site to remember that you are logged in. That is what is happening here. If you don't explicitly log out, you will stay logged in, and that's what you've done. This isn't a Chrome feature - but it is a slightly confusing flow on the Gmail login page. Perhaps it would be a good idea to take this to the Gmail Product forums - I agree that it can be somewhat misleading to be taken to the login page. But it should be clear when you first logged in that the session is being persisted after you close the tab.
,
Mar 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Nov 24 2016