Thumbnails on desktop NTP do not match title & favicon
Reported by
sharif.y...@beximtex.com,
May 2 2017
|
||||||||||||
Issue description
,
May 2 2017
Perhaps a variant of Issue 695779 ?
,
May 2 2017
-security flags.
,
May 2 2017
,
May 2 2017
+treib, mastiz
,
May 12 2017
,
May 12 2017
This bug reminds me of the recent Issue 715149, which I however think is unrelated. Some questions: 1. The attached screenshot displays some arabic text: I suppose this is WAI and unrelated to this bug report? 2. Does the thumbnail get fixed if you click on it? If that's the case, and since you're signed in, that'd point to Kodachrome as suspect, which is the server-side infrastructure to provide thumbnails when no local one is available.
,
May 12 2017
The questions above are for the reporter, sharif.yellow@beximtex.com, thanks.
,
May 13 2017
1. I dont know all about this. I am not technical person. 2. No it does not. its been looking same more than a month.
,
May 25 2017
,
May 29 2017
Now, I don't see any error. All thumbnail are showing correctly.
,
Jul 25 2017
This must have been a transient issue with our server-side infrastructure to provide thumbnails. Will close the bug since it's not reproducible anymore, thanks for reporting.
,
Jul 26 2017
Excellent! It's great that you found the solution. Am I entitled to get the reward now?
,
Aug 6 2017
May I expect any reply?
,
Aug 7 2017
Sorry for the silence. I have myself limited knowledge about reward programs, please check https://www.google.com/about/appsecurity/chrome-rewards/
,
Aug 7 2017
Thank you so much for your prompt reply. Well, I have also not very familiar with the reward program. However, as you label this issue as a security issue(see first email: Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug ) & since it is high quality report e.g. " a transient issue with our server-side infrastructure to provide thumbnails", so I believe it falls under the below category *-Renderer Remote Code Execution - High-quality report with* *functional exploit * Here is the screen shot: [image: Inline image 1] Being the best company in the world, I believe, Google will appreciate my effort.
,
Aug 8 2017
Thanks for the kind words and sorry for not being able to help you with this stage. I can only refer you to the link in comment #16.
,
Aug 8 2017
Hello sharif.yellow@ - I'm afraid this doesn't qualify for a reward as while there might be some confusion, there is no security risk to the user in this case.
,
Aug 9 2017
Hello awhalley@, Thanks for clarifying that it's not a security issue. However, you have mentioned that it's a server side issue *@ Comment #13 * Let me quote you *"This must have been a transient issue with our server-side infrastructure to provide thumbnails. * *Will close the bug since it's not reproducible anymore, thanks for reporting."* If it's true, then it could fall under "Google Vulnerability Reward Program (VRP) ". Link: https://www.google.com/about/appsecurity/reward-program/index.html In that case, it could qualify for the program. [image: Inline image 1] Please advise me.
,
Aug 9 2017
Two comments: 1. wrt the conclusion in c#13: I don't think this is related to Kodachrome. The thumbnails show Facebook while being logged in. Kodachrome doesn't have access to client side cookies. So it's impossible that it produced this screenshot. I rather suspect some client side problem. @treib: Didn't you recently work on the thumbnail generation part? 2. wrt the discussion about the bug bounty: The program mentioned in c#20 IMHO is only applicable if you can actually demonstrate a working attack. The attack must put "confidentiality or integrity of user data" at risk. This is not the case here since Chrome 'just' shows the wrong thumbnail. This is undoubtedly very confusing and definitively should be fixed, but it doesn't put your data at risk (at least as far as I can tell). Therefore I think this doesn't apply here. But let me point out once more that your report is very much appreciated! Keep on reporting issues - this is very helpful for us!
,
Aug 9 2017
All my recent changes landed after this report, and none of them have even made it to Stable yet. The screenshot in the report is from a non-standard NTP, probably overridden by an extension. sharif.yellow@, can you try uninstalling or disabling that extension, and checking if the standard NTP also has this problem? It's possible that the problem is in that extension rather than in Chrome itself.
,
Aug 21 2017
,
Sep 5 2017
Setting back to Unconfirmed while we wait for confirmation if this also happens on the standard NTP, as opposed to some extension-provided one which we don't control.
,
Oct 11 2017
it's happening to other devices also. I could help you guys but it requires time. Are you sure the issue does not fall in any reward category?
,
Oct 11 2017
Thank you for providing more feedback. Adding requester "treib@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 11 2017
Sorry, as far as I know there are rewards only for security issues.
,
Oct 12 2017
Please remove my email from the CC.
,
Oct 12 2017
Closing as not reproducible then. Presumably this was related to the extension-overridden NTP. |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by elawrence@chromium.org
, May 2 2017