Issue metadata
Sign in to add a comment
|
Pause all media when lid is closed and screen locked, don't restart on open
Reported by
dkrishna...@gmail.com,
Apr 27 2017
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Someone else can know what I am watching on youtube or a videos on my chromebook just by opening my chrome book lid without entering password. I have secured to enter password everytime I open lid, but no use. Hi, When my chrome book lid closed while watching YouTube or videos, it is going to sleep which is good. I have set it to ask password when I open lid, i.e when it come back from sleep. But without even entering password, youtube or videos starts playing in the background. This is not secure at all. Clearly it is BUG. Can you please fix and update me more about it. Secondly, Is there an option if I want to automatically close all browsers/tabs when I close the lid. Or Is there an option that system shuts down instead of going to sleep when lid closed. Just an option to user how he want's it to behave. You can at least keep these options in advanced settings. Or can you let me know if I can do with any scripts or changing any settings I am not aware of. Thanks a lot for your help. I also brought this up with one of the google chat agent Anna today. She/he checked and agreed it is an privacy issue that need to be fixed as we do not want someone else to know what I am watching without security password on my laptop. Now they will easily know just by opening lid. VERSION Chrome Version: Version 57.0.2987.146 (64-bit) Operating System: ChromeBook REPRODUCTION CASE Please enable password required everytime chrome book wake up and play youtube and close the lid and see if video starts playback when lid opens without entering password FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION N/A
,
Apr 28 2017
This is, unfortunately, somewhat working as intended. Essentially there's two factors at play: 1-We want music and videos to keep playing when the screen goes off, if people are e.g. using their Chromebooks to play music at a party. 2-We don't have a clear distinction between "screen off but something playing" and "screen off because we just came back from sleep/just reopened the lid". Ideally, we'd only keep playing music if the screen is locked/turned off, but not if we're resuming from sleep after closing and re-opening the lid.
,
Apr 29 2017
If user want to continue to listen to content when he open lid, he can choose not to lock the screen every time he open lid. But, The whole purpose of asking to login everytime lid open is to secure the content. Be it a text, graphic, audio or video. It is content that need to be protected. when user specifically selected to choose to login everytime lid open, it means user do not want anyone to intrude into content. When he close the lid and packed the chromebook and someone had the opportunity to open lid, then the disaster can happen. If the video is too personal, it will hurt the business or relationship. Guys I love chromebook. I am just pointing out large security concern of audio content being leaked even when user choose to authenticate to reveal the content everytime lid open.This is my 6th chromebook purchase and I love it. Isn't this a serious security issue that needs a fix to use the chromebook securely.
,
May 1 2017
I do think there is a potential functional bug here; as #2 says, this behavior is "somewhat" working as intended. For example, we could consider closing the lid (but not just the screen locking) to be equivalent to an explicit Pause action on all media. I leave that question to the media and auth teams. +battre FYI, this issue has a privacy aspect as well. But I don't see a security vulnerability. If the 'attacker' is someone physically near the device, most defense techniques cannot work.
,
May 1 2017
+Dale and John
,
May 1 2017
+tbuckley who was looking into this I think.
,
May 1 2017
+warx who has a CL for something similar too, https://codereview.chromium.org/2821303004/
,
May 6 2017
Updating title. This is something we can fix with Issue 694384
,
May 11 2017
With bug 719968 , there will be an internal flag to turn on media session without audio focus which will allow https://codereview.chromium.org/2821303004/ to work without having to turn on audio focus as a side effect.
,
May 11 2017
,
May 16 2017
One question, if lid open should not start audio playing, it should keep paused until user manually starts the audio, right?
,
May 17 2017
Yep, the video should stay paused until the user manually starts it again.
,
May 18 2017
,
May 18 2017
Can we make this not be a security bug (which means that Chrome OS developers can't see it unless they're cc-ed), or just dupe it into a public bug? This is the way that Chrome OS has always worked. I'm fine with it being changed if UX decides that that makes sense, but it's not as if it was unknown up until now.
,
May 18 2017
Also, this doesn't have anything to do with the lid being closed. It should probably be tied either to the system suspending or the screen being locked. The latter will break people who want audio playback to continue even when their screen is locked, though.
,
May 18 2017
Labels removed. It should never have been a security issue in the first place, privacy bug at most, more like feature request.
,
May 18 2017
,
May 19 2017
Looks like issue is being diluted. I am in music industry and my recorded music videos are being stolen/leaked from my chromebook just by someone opening my chromebook without credentials. Does this not mean my data is not secured? How is my business data is secured? Is this not data Security issue?
,
May 19 2017
Also please note this has nothing to do with Issue 694384 . You are mixing two different reports. Issue 694384 is focused on need/feature request where as 716066 is reporting data security issue when lid open without credentials. Why mix these issues. Please take serious look into the issue. Let me know what help is needed to understand the security issue better.
,
May 21 2017
You'll see the same behavior on any other laptop, as far as I'm aware. Programs normally pick up where they left off after a system suspends and resumes. This is standard behavior. As mentioned earlier, there's a feature request to override this behavior and pause video and audio elements automatically. If you want to prevent videos from continuing after the system resumes before this change is made, you can pause or close the video before suspending your system.
,
Jun 20 2017
I did great mistake spending my time to report issue to Google. From this experience , I will surely stay away from you guys. I knew you guys will surely fix these serious issues, Buy you will never admit the seriousness of the issue or give credit to anyone who found it. Hats Off and Sign Off.
,
Jun 20 2017
And do not say same behaviour from any other laptop without verifying. My Lenovo Thinkpad W540 with windows 10 doesn't do that.
,
Sep 5 2017
,
Jun 26 2018
,
Jul 24
Updating components per Warx@.
,
Oct 21
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by palmer@chromium.org
, Apr 27 2017Components: Internals>Media
Labels: Security_Impact-Stable OS-Chrome
Summary: Video plays in the background even before re-authentication (was: Security: Someone else can know what I am watching without password.)