Issue 709935 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Apr 2017
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	2
Type:	Bug-Security
allpublic Via-Wizard-Security

Hijack History over network

Reported by lnunesba...@gmail.com, Apr 10 2017

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce the problem:
1. Access the victim Appdata
2. Copy and excecute commnand in terminal
3. See the victim history access 

What is the expected behavior?
Don't have access to the file.

What went wrong?
Breach of security.

Did this work before? N/A 

Chrome version: 57.0.2987.133  Channel: stable
OS Version: OS X 10.12.2
Flash Version: 

I want enter in the program of Google that pays for discovery security issues.

breach.zip
259 KB Download

Comment 1 by dominickn@chromium.org, Apr 10 2017

Status: WontFix (was: Unconfirmed)

Thanks for the report. Unfortunately, this attack requires physical access to the user's machine (their AppData directory). When an attacker has physical access to a user's machine, there is nothing we can do to protect the user any more. The attacker can simply take the hard drive off with them for instance.

See https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- for more information.

Project Member

Comment 2 by sheriffbot@chromium.org, Jul 17 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 709935 link

Issue metadata

Hijack History over network

Issue description

Comment 1 by dominickn@chromium.org, Apr 10 2017

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Jul 17 2017

Comment 2 Deleted

Sign in to add a comment