Issue metadata
Sign in to add a comment
|
Security: Saved Payment Method Posted to Other Accounts
Reported by
attn.w...@gmail.com,
Jan 11 2018
|
||||||||||||||||||||||
Issue descriptionSteps to reproduce: 1. Log into Chrome & Save Payment Method 2. Log out of your gmail and log in to another user's account (I did my mom's since she needed help with something). 3. Payment method will be stored to the other user's account and they will have access to it even from their android device, where you are not signed in to their browser at all. Browser/OS: Chrome Version 63.0.3239.108 (Official Build) (64-bit) ? Win10 Build: 1709 Attack scenario: I signed into Chrome so that I could access my passwords, etc from a different computer. After I finished what I was doing, my mother needed to show me something in her gmail, so I opened up hers, completed the task, and signed out of her gmail account. A few days ago, she saw my debit card number on her phone. I searched her phone and found that inside of Chrome, my debit card number had been stored to her account. I did not authorize Google to share my debit card number with anyone else's account and, depending on the response I receive may report this to governing authorities. This is a serious issue because I have no way of knowing how far Google has shared my debit card information.
,
Jan 13 2018
,
Jan 13 2018
I did check the link posted and that was not the issue for me. I wonder if it happened because I was still signed into the browser. But, my info still shoyld not have synces to her email and phone. By the way neither she nor I were signed in to her browser on her phone. Thanks again.
,
Jan 16 2018
Sorry to hear you encountered this issue. In general, even if you sign into Chrome to sync your data (like bookmarks, passwords, history, etc.), credit cards are not uploaded to your account unless you explicitly request that they are after going through a checkout form. In order to help debug, I'll need a few pieces of information from you: 1. A screenshot of chrome://signin-internals from the desktop computer where you said you signed into Chrome with your account and then signed into your Mom's gmail account 2. A screenshot of chrome://signin-internals from Chrome on your Mom's phone 3. Your Mom's gmail account name/identifier 4. Permission from you to look at our server-side logs for both of your accounts, to try to diagnose exactly where your data got cross-synced I'm cc'ing some folks who can help debug this issue.
,
Jan 17 2018
,
Jan 18 2018
,
Jan 19 2018
Friendly ping for the original reporter.
,
Jan 20 2018
,
Jan 24 2018
We haven't heard from the original reporter for about a week. attn.wren: I'm closing this bug for now, but please let us know if you have more information and we can reopen it.
,
May 3 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jan 11 2018