New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 678518 link

Starred by 3 users
Status: WontFix
Owner:
vasi...@chromium.org
Closed: Jan 2017
Cc:
sabineb@chromium.org
jeremyle@chromium.org
markusheintz@chromium.org
zea@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Users can still access all saved passwords, bookmarks and all the auto fill information in all of the machines even after the user changes Google account password in one of the machines.

Reported by amelsele...@gmail.com, Jan 5 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce the problem:
1. Open Google chrome with an existing login credentials in Machine-1. Make sure the chrome have a couple of bookmarks and saved passwords for the websites.   
2. Change google account password in the settings menu.
3. Open Chrome page (already logged-in with the old credentials) from another machine say Machine-2. access the webpages that have saved passwords and bookmarks. 

What is the expected behavior?
As soon as the user opens Chrome in Machine-2, the user should see a completely logged out chrome with no bookmarks and saved passwords as well as the user should get a prompt to enter credentials since the user had previously logged into the machine-2 with old credentials.  

What went wrong?
The user still has access to the webpages with saved passwords, bookmarks as well as saved auto fill user data. This data can be last names, social security numbers etc. Google chrome failed to sign out the user from all the machines that he/she was using chrome. This is a significant security flaw because in the event a user forgets to sign out of a chrome account in one machine which is very likely happen can pose a serious breach of personal information as well as criminal activity.  

Did this work before? N/A 

Chrome version: 55.0.2883.87  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 24.0 r0

This is a significant security flaw because in the event a user forgets to sign out of a chrome account in one machine which is very likely happen can pose a serious breach of personal information as well as criminal activity.

Comment 1 by mmoroz@chromium.org, Jan 5 2017

Cc: vabr@chromium.org
Components: UI>Browser>Passwords
Thanks for your report. I'm not sure what is an intended behavior here.

vabr@, would you mind taking a look?

I have a feeling that it may be fine that password change doesn't logout a user on other devices. But if this is the case, there should be a way to logout from all other devices. Again, this is only my understanding, I'm not an expert in password synchronization.

Comment 2 by rsesek@chromium.org, Jan 6 2017

Owner: vasi...@chromium.org
Assigning to vasilii@ since vabr@ is marked OOO.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 7 2017

Status: Assigned (was: Unconfirmed)

Comment 4 by vasi...@chromium.org, Jan 10 2017

Cc: jeremyle@chromium.org markusheintz@chromium.org zea@chromium.org
Status: WontFix (was: Assigned)
This works as intended. There are two types of sign-in
- Sign in to Chrome (in chrome://settings/). That means that the bookmarks and passwords are synced across devices. The user isn't suppose to sign-in to Chrome on a random machine.
- Sign in to the Google account in the web page. That gives access to the content area. Changing the password will sign the user out.

Changing the Google password isn't supposed to wipeout all the devices. Syncing stops though.

Sync folks, do you have something to add regarding remote wipeout?

Comment 5 by est...@chromium.org, Jan 25 2017

Cc: sabineb@chromium.org
 Issue 684809  has been merged into this issue.
Project Member

Comment 6 by sheriffbot@chromium.org, Apr 18 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by vabr@chromium.org, Nov 29

Cc: -vabr@chromium.org

Sign in to add a comment