New issue
Advanced search Search tips

Issue 676248 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Google Chrome on Linux rsync allows login without password

Reported by josephho...@gmail.com, Dec 21 2016 
Just wanted to let you guys know that when using google chrome on a linux machine it's possible to rsync the user's entire home directory during a backup. That includes the .cache directory under the /home/user/ directory. If you us rsync to backup your /home/user directory (Example: rsync -av /home/user /your/backup/location) This grabs all the files in that directory including the .cache files as well. If you then go to a different computer and restore your backups using rsync -av /home/user /home/newcomputeruser then it includes the .cache files as well. Next if you download google chrome and then open it it'll open with all your user information already loaded. It doesn't even ask you for your passwords or any authentication.

Comment 1 by wfh@chromium.org, Dec 21 2016

Labels: -Restrict-View-SecurityTeam OS-Linux
Status: WontFix (was: Unconfirmed)
Hi - thanks for your report.

Attacks that require physical access to the machine are outside of Chrome's threat model, as an attacker with this kind of access to the computer can do pretty much anything they want included but not limited to the attack you describe.

This is described in more detail here:

https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

You can reduce the chances of such an attack like this happening by using Full Disk Encryption, using a strong password, screenlock, and locking/powering down your workstation when you are not using it (to require the disk encryption password).

Comment 2 by tsepez@chromium.org, Dec 21 2016 

To add to what WFH, said:  This shouldn't be surprising.  If you can read any data that an account owns, then you should expect to be able to use any data an account owns.

Sign in to add a comment