New issue
Advanced search Search tips

Issue 677272 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 676953
Owner: ----
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: The lack of security in accessing the data saved in the chrome browser is the problem.The problem is that all the saved content on Google Chrome Browser is vulnerable to scanning by unauthorized application,which can lead to data theft and hijacking of various accounts and credit card credentials

Reported by nevinkos...@gmail.com, Dec 28 2016

Issue description

The lack of security in accessing the data saved in the chrome browser is the problem.The problem is that all the saved content on Google Chrome Browser is vulnerable to scanning by unauthorized application,which can lead to data theft and hijacking of various accounts and credit card credentials.The chrome security defect lets random apps to be added as plugins.Well these "harmless" plugins/other apps can freely access the saved passwords/credit-ails on the browser.The vulnerability let any plugin/app scan these details with ease,with no detection what so ever. So due to these vulnerabilities,you can copy all the saved auto fill data and password by accessing chrome://settings/pages (autofill or passwords).Each individual unit of data can be collected by emulating the edit button click on these data.Hence all these data which was previously copied, can be transmitted by these app to previously set database locations.
So using this vulnerability,even a mass data stealing is possible.

Steps to reproduce:
 1.Add a plugin or app via the Internet onto the victim's browser
2.the link chrome://settings/{passwords or autofill.}These links are freely accessible by typing pasting them in the google search bar.
 3.the data can be collected from these tabs,and by emulating the "edit" click ,all individual data can be collected.

VERSION
Chrome Version: [55.0.2883.87] [stable, beta, and dev]
Operating System: [Windows OS,All versions and service pack level]
                 Also possible on Android
REPRODUCTION CASE
On PC, chrome://settings/autofill , chrome://settings/passwords when entered on the search box shows the content.Emulation of the edit button can be done by the plugin/app.
 
Labels: -Restrict-View-SecurityTeam
Mergedinto: 676953
Status: Duplicate (was: Unconfirmed)
Project Member

Comment 2 by sheriffbot@chromium.org, Apr 6 2017

Labels: allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment