New issue
Advanced search Search tips

Issue 691949 link

Starred by 1 user
Status: Duplicate
Merged: issue 691578
Owner: ----
Closed: Feb 2017
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Most visited sites thumbnail flaw

Reported by jaspals...@gmail.com, Feb 14 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce the problem:
 Issue 691578 

I wouldn't say this is working as intended as I signed out of my google mail therefore you can't say it is therefore available for public visibility if you log out of your email yet it can be seen by a third party who happens to share the same computer.

If you believe that email contents on a shared computer as public for all users then I disagree as you give users an option to log out for privacy and do not add a disclaimer that email contents can still be read despite logging out.

This is a clear security flaw despite your arguments to say otherwise.

VULNERABILITY DETAILS
I am able to view contents of someone's personal email account by zooming in on the most visited page feature even when the account is logged out and private and confidential information can be read.

VERSION
56.0.2924.87 (64-bit)
Windows 7 Enterprise 

REPRODUCTION CASE
Go into your most visited pages time after time and google will take a screenshot at the moment that page is open  - in my case the window was open for a substantial amount of time and as a result my email contents were free for anyone to see on the "most visited page" feature 

What is the expected behavior?
Expected behavior is not to have your email contents shown to other users after logging out...pretty obvious

What went wrong?
Having private email contents shown to other family members because your security flaw allows it even though I logged out of my gmail

Did this work before? No 

Chrome version: 56.0.2924.87  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 24.0 r0

yes this is not working as intended obviously as I logged out of my gmail account therefore private email contents are not allowed to be shown to third parties ...I will report this to the EU data commissioners office and tech mags if you claim it is  "working as intended"
googlebug2.JPG
63.4 KB View Download
googleappbug.JPG
76.0 KB View Download
gmailbug.JPG
52.8 KB View Download

Comment 1 by elawrence@chromium.org, Feb 14 2017

Mergedinto: 691578
Status: Duplicate (was: Unconfirmed)
Please do not open a new bug to argue against the "Won't Fix" resolution of an earlier bug.

> third party who happens to share the same computer

This is called a "Physically Local Attack" and it is outside the threat model of *every* browser. There's discussion here: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

But the long and short of it is that applications (like browsers) cannot protect a user's information from their own Operating System user account. 

If you wish to share a computer with someone else and have your data private from theirs, you MUST each use different operating system login accounts (e.g. on Windows, you each have your own Windows User Account, and you log out of Windows when you want to let the other person use the computer). The Operating System is responsible for isolating your data from their data and otherwise ensuring your privacy. This is true for all browsers and all mainstream operating systems (Mac, Linux, Windows, ChromeOS).

Comment 2 by elawrence@chromium.org, Feb 14 2017

Labels: -Restrict-View-SecurityTeam allpublic

Comment 3 by treib@chromium.org, Feb 14 2017 

The duped-into  bug 691578  still seems to have some Restrict-View label; I can't access it. I'm assuming it doesn't have any more information than this one.

While this is clearly not a security issue, it can be considered a privacy issue. See  bug 670488 .

Sign in to add a comment