New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 752429 link

Starred by 1 user
Status: Duplicate
Owner: ----
Closed: Aug 2017
Cc:
mastiz@chromium.org
tschumann@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Unrestricted access allows syncing of passwords to a different user

Reported by mortenfo...@gmail.com, Aug 4 2017 
Hi Google Chrome Team,

I found a critical security flaw, in google chrome.

Which allows me to steal users passwords, really quick and easy.


Please see the attachment for documentation.
Steal information from google account.pdf
395 KB Download

Comment 1 by elawrence@chromium.org, Aug 4 2017

Components: Services>Sync
Mergedinto: 584675
Status: Duplicate (was: Unconfirmed)
Summary: Unrestricted access allows syncing of passwords to a different user (was: Critical security flaw in chrome)
The PDF describes an attack whereby a logged-in victim who loans their browser to attacker has their passwords stolen. The attacker logs out of Chrome (without choosing to delete data) then logs into Chrome using their own account, choosing to sync the local state to their own account.

As explained here: https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- this is but one of myriad attacks in which unrestricted physical access to the PC enables theft of data.
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 11 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment