New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 691578 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 670488
Owner: ----
Closed: Feb 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Most Visited Page thumbnails may reveal sensitive information

Reported by jaspals...@gmail.com, Feb 13 2017

Issue description

VULNERABILITY DETAILS
I am able to view contents of someone's personal email account by zooming in on the most visited page feature even when the account is logged out and private and confidential information can be read.

VERSION
56.0.2924.87 (64-bit)
Windows 7 Enterprise 

REPRODUCTION CASE
Go into your most visited pages time after time and google will take a screenshot at the moment that page is open  - in my case the window was open for a substantial amount of time and as a result my email contents were free for anyone to see on the "most visited page" feature 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]

 
gmailbug.JPG
52.8 KB View Download
Hi, a clearer screenshot is now attached showing full evidence of my bug report.

Thank you
googlebug2.JPG
63.4 KB View Download
Components: UI>Browser>NewTabPage
Status: Untriaged (was: Unconfirmed)
Summary: Security: Most Visited Page thumbnails may reveal sensitive information (was: Security: Most Visited Page Security Flaw on Gmail)
I believe this would be considered "Working as Intended" behavior, as access to your Chrome instance by a third-party provides access to all manner of private information as described here: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

If it showed thumbnails from Incognito tabs, that could be deemed a privacy bug. 

Perhaps Chrome might consider an option to suppress thumbnail generation and instead only show a FavIcon or similar.
Status: WontFix (was: Untriaged)
Agree with #2. It seems you're already browsing with someone else's profile. We consider this as physically/local attack.
Close as WontFix (working-as-intended).
ah sorry it was my own personal gmail account however if it was a shared computer then I would have in theory viewed my own (or another's) email contents with the bug I found

I find it very worrying that the email contents were visible 
Hi, I think it's a common problem for all google applications.

Even this messaging appears on the thumbnail as seen in the attachment.
googleappbug.JPG
76.0 KB View Download
I wouldn't say this is working as intended as I signed out of my google mail therefore you can't say it is therefore available for public visibility if you log out of your email yet it can be seen by a third party who happens to share the same computer.

If you believe that email contents on a shared computer as public for all users then I disagree as you give users an option to log out for privacy and do not add a disclaimer that email contents can still be read despite logging out.

This is a clear security flaw despite your  arguments to say otherwise.
 Issue 691949  has been merged into this issue.
Labels: -Restrict-View-SecurityTeam allpublic
Mergedinto: 670488
Status: Duplicate (was: WontFix)
Still not a security bug.
"Still not a security bug."

Biggest joke since the two candidates for the US presidential election

Sign in to add a comment