New issue
Advanced search Search tips

Issue 701638 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Bug where you are able to see the contents of files that display text, in the google search browser.

Reported by sticklyd...@gmail.com, Mar 15 2017 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue:
The description of this bug is rather strange. This bug happens when a web page seems to be blocked off, or 404'd, page not found, as in no HTML file there. Though, it seems I have come across a bug where the page was a text file, as in 'users.txt' : http://imgur.com/a/2Oc8a. Though, this isn't the problem, obviously. The problem is, when you put this address into google, and not the web address bar, you get the contents of the text file. Now, this could be very bad for text files that hold important information, or, for a user list (like this was, which could expose WHO is on the website) or even some important keywords for the website, you never know. I have shown this, in the photos, i have also attached a HTML file that shows the same thing, though here is the real world example, where I found it. : https://opensourcecontributo.rs/archive/events/2016-10-31-21.users.txt - how to replicate this is to paste this into the search bar, not the address bar. After that, view the contents of it.

VERSION
Chrome Version: [x.x.x.x] + [stable, beta, or dev]
Version 57.0.2987.98 (64-bit)
Google-Chrome-Stable.
Operating System: [Please indicate OS, version, and service pack level]
Linux Gentoo, 4.9.6.

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug. (See Files attached, and the vulnerability details.)

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
N/A
forgoogle.png
85.9 KB View Download
2017-03-14-210901_3840x2160_scrot.png
1.9 MB View Download
userstext.html
789 bytes View Download

Comment 1 by tsepez@chromium.org, Mar 15 2017

Status: WontFix (was: Unconfirmed)
This isn't a bug in chrome; chrome isn't psychic and can't retrieve items that a web server never served.

What you've discovered is that Google's Search Engine caches the items it finds while crawling the web.  Although the item has been removed from the site, at one time in the past, it was present and Google retrieved it and indexed it then.
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 22 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment