New issue
Advanced search Search tips

Issue 722122 link

Starred by 6 users

Issue metadata

Status: Duplicate
Merged: issue 464985
Owner: ----
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: ----
Type: Feature



Sign in to add a comment

Closing an incognito window gives a false sense that your sessions are destroyed

Reported by campb...@sincla.ir, May 14 2017

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Incognito windows may give a false sense that your session information is destroyed when you close the window. If there is another incognito window open at the same time, logged in sessions to sites like google and facebook will remain until all incognito windows are closed. A malicious attacker may exploit this by having a hidden incognito window running.

VERSION
Chrome Version: 57.0.2987.133 (64-bit) + stable
Operating System: Windows 8.1 

REPRODUCTION CASE
Open an incognito window and minimise it. Open a second incognito window and leave it maximised. Log in to facebook or google. Close This window (anticipating that you will be logged out). Open a new incognito window. Go to facebook or google. Observe that you are still logged in.

 
Components: UI>Browser>Incognito
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Feedback OS-Chrome OS-Linux OS-Mac OS-Windows Type-Bug
Status: Untriaged (was: Unconfirmed)
Summary: Closing an incognito window gives a false sense that your sessions are destroyed (was: Security: Closing an incognito window gives a false sense that your sessions are destroyed)
This isn't a security issue; an attacker with access to the system can do anything they like, including running a keylogger,  etc. https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

Overall, the feature is working as intended, but perhaps you have a suggestion for a feature that would address your concern?
On Android we display a persistent notification with the option to "close all incognito tabs." Given how easy it can be to lose track of windows open on other monitors, desktops or just moved almost off the screen it may help to add this feature to the desktop platforms.
 Issue 750728  has been merged into this issue.
Labels: -Type-Bug -Needs-Feedback Type-Feature
This is essentially a feature request. Two immediate ideas:

1. Treat each Incognito window as its own isolated session. (This is what most users think they expect of Incognito. However, it is likely a major change architecturally, and there are many corner-cases that will be very confusing, especially when a page uses popup windows).

2. When closing an Incognito window, bring up any other Incognito windows so the user understands that they haven't finished cleanup. (This should be a pretty straightforward change, but users will likely still be surprised that state from their "closed" windows remains accessible in the other windows.


Components: Privacy
Status: Available (was: Untriaged)
Cc: dullweber@chromium.org msramek@chromium.org maxwalker@chromium.org
 Issue 801937  has been merged into this issue.
Mergedinto: 464985
Status: Duplicate (was: Available)

Sign in to add a comment