Issue metadata
Sign in to add a comment
|
Security: Search box (CMD+F/CTRL+F) data leak
Reported by
kolasins...@gmail.com,
May 19 2017
|
||||||||||||||||||||||
Issue descriptionThis exploit allow to detect what user type to search box in web browsers. It’s use window scroll to searched element, when user type text. For example it’s can be used for stealing passwords, credit cards data, social security number – „hey, we have your data, just search it”. Google Chrome 58.0.3029.110 (64-bit) macOS 10.12.4 (16E195)
,
May 19 2017
This got reported against Internet Explorer approximately 10 years ago, and I would be very surprised if there's not a "Won't Fixed" duplicate somewhere in the Chrome bug tracker.
,
May 19 2017
I believe this is the same as Issue 573278. Interestingly, as noted in c#6 of that bug, Issue 152252 represents a possibly more compelling mechanism of data theft.
,
May 19 2017
this has already been marked WontFix in issue 573278.
,
May 19 2017
Why you cannot fix it? In my opinion you should freeze window scroll position feedback for javascript, when user auto-scrolled using search bar.
,
May 19 2017
Re #5: The problem with the proposal in #5 is that it is likely to have a compatibility impact. Scrolling markup while lying to JavaScript about the scroll position would be a breaking change to the web platform.
,
May 19 2017
I unterstood, thank you
,
Aug 26 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by tarqui...@opera.com
, May 19 2017