Issue metadata
Sign in to add a comment
|
Security: Username/password information for other people available on my account
Reported by
jul...@pinterest.com,
Mar 13 2017
|
||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home /chromium-security/security-faq Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Two instances of this happened today. 1) I went to xfinity.com and Chrome had autofilled a saved username/password for a user that is not me. No one has ever had access to this computer and I've never heard of the person whose information I had access to. This data let me login to their account and view all of their personal details. 2) The "do you want Google Smart Lock to save this password?" popped up for a coworker's account today while trying to login to a service. VERSION Chrome Version: Version 56.0.2924.87 (64-bit) Operating System: macOS Sierra v10.12.3 REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace, registers, exception record] Client ID (if relevant): [see link above]
,
Mar 14 2017
Yeah I think so.
,
Mar 14 2017
Thank you for providing more feedback. Adding requester "palmer@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 14 2017
#2: Can you please make sure you are logged into Chrome with the account you expect? It'd be interesting (i.e. bad) if it were with an account you didn't expect...
,
Mar 14 2017
I'm positive that I'm logged in with the correct account. All of the other information and saved login credentials showing up are specific to me.
,
Mar 14 2017
In all cases of this problem we've seen, one of two things happened: 1. The User, at some point, logged Chrome into a shared computer or one borrowed from another person and enabled Sync. At that point, all future credentials entered into Chrome into that logged-in profile would sync to the profile and become available to the User. In addition, all of that User's credentials became available to that shared computer. 2. The User, at some point, loaned their PC to another person, who logged into Chrome and enabled sync. The User, upon getting the PC back, didn't notice and began sharing data with the person who borrowed their PC. Based on the description in this Issue, scenario #1 seems more likely. A question for the Sync folks -- Is there some way to see the list of devices from which data was sync'd? I didn't see any obvious list in chrome://sync-internals/? chrome://signin-internals/ seems to show which accounts have signins configured.
,
Mar 14 2017
Juliac - We may be able to investigate, but first we need to ask if may we have permission to look at the server logs related to your account? Over to ewald who has investigated these in the past.
,
Mar 14 2017
To address your potential solutions: 1- To my knowledge, I have never logged into Chrome on another computer as this is my work account. 2- To my knowledge, I haven't logged my PC into another user before. For both situations, I have never heard of the person whose username/password I now have complete access to. You can definitely take a look at the server logs! I tried to figure out when the new username/password was saved to my account but couldn't find that information. Thanks for keeping me updated!
,
Mar 14 2017
Thank you for providing more feedback. Adding requester "tsepez@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 14 2017
,
Mar 14 2017
Thanks for reporting this, juliac@. Sorry to hear this happened to you, we'll definitely figure out what happened. Adding in some other Sync folks. In-ho (Sync server on-call) - can you take a look at the server logs for juliac@pinterest.com to see when and on what device the password for login.xfinity.com was created/saved to her account?
,
Mar 15 2017
Assigning to In-ho to take a look.
,
Mar 16 2017
I appreciate all of your work looking into this issue. I was able to identify the root cause and you are able to close this ticket now. Thanks!
,
Mar 16 2017
Thanks for the update!
,
Mar 16 2017
,
Mar 31 2017
,
Jun 22 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 12
,
Dec 3
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by palmer@chromium.org
, Mar 14 2017Labels: Needs-Feedback