Issue metadata
Sign in to add a comment
|
Security: I can see the someone else's account mail inbox on frequently visited sites tab
Reported by
lahari.a...@gmail.com,
Oct 8 2017
|
||||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com /chromium/src/+/master/docs/security/faq.md Please see the following link for instructions on filing security bugs: https://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS When I open chrome, I get few suggestions of websites. One of which was a screenshot of the mail inbox. Since the font was big and pictures were inserted in the mail. I could make out the content of the mail. This shouldn't be the case. If its a mail or social media page, login form should be displayed instead of the actual mail or homepage VERSION Chrome Version: Version 61.0.3163.100 (Official Build) (64-bit) Operating System: MAC REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. Open your mail/fb/linkendin multiple times and you can see the suggestion of the opened mail or your homepage in the tab FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace, registers, exception record] Client ID (if relevant): [see link above]
,
Oct 9 2017
Duping into Issue 771155 for now since it looks like the report is describing a similar concern.
,
Oct 9 2017
Note: As a workaround, you can remove the thumbnail by moving your mouse over it and clicking the small "x" that appears in the top right corner.
,
Oct 9 2017
Hello All, Me and my friends sometimes open the same mail page. But everyone has their own accounts. I could see my friend's mail opened in the thumbnail. As well as the facebook page opened. I think it is not appropriate to expose contents of one's mail and social media account in the thumbnail. As for the WA, I think it works for a ethical person But how safe is it in internet cafe? Frequently visited sites shouldn't display the contents. If the font is bigger, anyone can see my otp or personal data
,
Oct 9 2017
IMO thumbnails should only capture login page :)
,
Oct 9 2017
> Me and my friends sometimes open the same mail page. > But everyone has their own accounts. When sharing a single device with someone you trust, the right way to go about it is to give each user a different Chrome profile: https://support.google.com/chrome/answer/2364824?co=GENIE.Platform%3DDesktop&hl=en or use Guest mode as appropriate. > But how safe is it in internet cafe? It's inherently unsafe to use an unknown device (e.g. Internet cafe computer) which is controlled by an untrusted party and shared with untrusted users. While you can use Guest/Incognito mode to attempt to preserve your privacy, other users or administrators could easily reconfigure the device to capture all of your private data. See https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model for discussion.
,
Oct 9 2017
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 8 2017Labels: Needs-Feedback