New issue
Advanced search Search tips

Issue 770479 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Sep 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Internal logs and hash files disclosure

Reported by bewithsa...@gmail.com, Sep 30 2017 
Hello, 

During Testing I found out that the following Google Cloud Bucket having public access to internal files of the chromium project including hashes and logs. 

Here is the Google Cloud SDK command I used to download the internal files. 

```
Sahils-MacBook-Pro:desktop sahil$ gsutil ls gs://chromium-browser-official

gs://chromium-browser-official/chromium-32.0.1700.7-lite.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.7-testdata.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.7.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.72-lite.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.72-lite.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.72-testdata.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.72-testdata.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.72.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.72.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.76-lite.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.76-lite.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.76-testdata.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.76-testdata.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.76.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.76.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.77-lite.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.77-lite.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.77-testdata.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.77-testdata.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.77.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.77.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.8-lite.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.8-testdata.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.8.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.9-lite.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.9-testdata.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.9.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.95-lite.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.95-lite.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.95-testdata.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.95-testdata.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.95.tar.xz
gs://chromium-browser-official/chromium-32.0.1700.95.tar.xz.hashes
gs://chromium-browser-official/chromium-32.0.1700.99.log
gs://chromium-browser-official/chromium-32.0.1700.99.log.hashes
gs://chromium-browser-official/chromium-33.0.1701.0-lite.tar.xz
gs://chromium-browser-official/chromium-33.0.1701.0-testdata.tar.xz
gs://chromium-browser-official/chromium-33.0.1701.0.tar.xz

```

Above are to very few files taken from the bucket.

I Thought you might be interested in knowing about this issue, that's why I am reporting it here. 

Thanks 
-Sahil

Comment 1 by infe...@chromium.org, Sep 30 2017

Status: WontFix (was: Unconfirmed)
These are known gcs buckets to download chromium official builds, e.g. see https://chromium.googlesource.com/chromium/src/+/lkcr/docs/chromium_browser_vs_google_chrome.md
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 7 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment