Closing an incognito window gives a false sense that your sessions are destroyed
Reported by
campb...@sincla.ir,
May 14 2017
|
|||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home /chromium-security/security-faq Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Incognito windows may give a false sense that your session information is destroyed when you close the window. If there is another incognito window open at the same time, logged in sessions to sites like google and facebook will remain until all incognito windows are closed. A malicious attacker may exploit this by having a hidden incognito window running. VERSION Chrome Version: 57.0.2987.133 (64-bit) + stable Operating System: Windows 8.1 REPRODUCTION CASE Open an incognito window and minimise it. Open a second incognito window and leave it maximised. Log in to facebook or google. Close This window (anticipating that you will be logged out). Open a new incognito window. Go to facebook or google. Observe that you are still logged in.
,
May 24 2017
On Android we display a persistent notification with the option to "close all incognito tabs." Given how easy it can be to lose track of windows open on other monitors, desktops or just moved almost off the screen it may help to add this feature to the desktop platforms.
,
Jul 31 2017
Issue 750728 has been merged into this issue.
,
Jul 31 2017
This is essentially a feature request. Two immediate ideas: 1. Treat each Incognito window as its own isolated session. (This is what most users think they expect of Incognito. However, it is likely a major change architecturally, and there are many corner-cases that will be very confusing, especially when a page uses popup windows). 2. When closing an Incognito window, bring up any other Incognito windows so the user understands that they haven't finished cleanup. (This should be a pretty straightforward change, but users will likely still be surprised that state from their "closed" windows remains accessible in the other windows.
,
Jul 31 2017
,
Jan 15 2018
Issue 801937 has been merged into this issue.
,
Jan 15 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by elawrence@chromium.org
, May 14 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Feedback OS-Chrome OS-Linux OS-Mac OS-Windows Type-Bug
Status: Untriaged (was: Unconfirmed)
Summary: Closing an incognito window gives a false sense that your sessions are destroyed (was: Security: Closing an incognito window gives a false sense that your sessions are destroyed)