New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 792878 link

Starred by 5 users
Status: WontFix
Owner: ----
Closed: Dec 2017
Cc:
mastiz@chromium.org
tschumann@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Egress Chrome sensitive data (e.g. passwords) from an unlocked PC

Reported by liorma...@gmail.com, Dec 7 2017 
VULNERABILITY DETAILS
Getting all the google accounts detail from the computer and sync it to another account without any password 
Steal local and remote google chrome settings, including sensitive data (e.g. passwords), without being prompted for authentication.
 
VERSION
Chrome Version: 62.0.3202.94 + [stable, beta, or dev]
Operating System: [windows , 10, and service pack level]
 
REPRODUCTION CASE
1. Use a machine that hasn’t been locked by user (i.e. forgot to lock)
1. browse to chrome://settings/people
2. Sign OUT if you are logged in 
3. click Manage other people
4. Add Person 
5. click save
6. click Sign in 
7. click More option
8. click create new account 
9. fill user name and family name
10. fill birthday
11. fill new Gmail user & password
12. click I Agree
13. Then in prompt click “I am the user sync passwords history bookmarks”
14. All sensitive chrome data is now synced with a malicious account
15. Use this account on another machine that you have full access to
16. On that machine, you can now use the sensitive data (e.g. credentials) to login to applications and even see the actual passwords (using your windows password account)
ADDPERSON.jpg
19.8 KB View Download
CREATEACCOUNT.jpg
40.3 KB View Download
CREATEGOOGLEACCOUNT.jpg
30.8 KB View Download
managePeople.jpg
48.9 KB View Download
MOREOPTION.jpg
38.8 KB View Download
SAVE.jpg
39.6 KB View Download
SIGNIN.jpg
34.4 KB View Download
SYNC.jpg
27.5 KB View Download

Comment 1 by liorma...@gmail.com, Dec 7 2017

SYNCED.jpg
214 KB View Download

Comment 2 by elawrence@chromium.org, Dec 7 2017

Components: Services>Sync
Status: WontFix (was: Unconfirmed)
Summary: Security: Egress Chrome sensitive data (e.g. passwords) from an unlocked PC (was: Security:Steal Chrome sensitive data (e.g. passwords), without authentication)
Yes, given unrestricted access to a user's account, you can steal data from it. This isn't a vulnerability in Chrome and isn't unique to browsers. This natural vulnerability is why PCs offer the ability to screen lock.

https://chromium.googlesource.com/chromium/src/+/lkcr/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model

( Issue 766092  notes the fact that logging out of Chrome won't delete local data unless you want it to. That's not really a precondition for your scenario).

Comment 3 by elawrence@chromium.org, Dec 11 2017 

 Issue 793893  has been merged into this issue.

Comment 4 by liorma...@gmail.com, Dec 11 2017 

you don't need to sing out 
even when.you sign out and just save the passwords it if you.login it will take all your bookmarks history and passwords that you saved.
Project Member

Comment 5 by sheriffbot@chromium.org, Mar 15 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by elawrence@chromium.org, Mar 28 2018 

 Issue 826594  has been merged into this issue.

Comment 7 by treib@chromium.org, Jun 5 2018 

 Issue 849410  has been merged into this issue.

Sign in to add a comment