New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 809581 link

Starred by 3 users
Status: Duplicate
Merged: issue 670488
Owner: ----
Closed: Feb 2018
Cc:
ramyan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Site thumbnails not cleared by signing out of Chrome

Reported by cjdennin...@gmail.com, Feb 6 2018 
NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Google Chrome presents visual bookmarks of frequently visited pages for user on their home page. These are visible even when user has logged out of their Google account and a new tab is opened. The acreenshots are capturing behind login information (I was able to view recent financial transactions and email correspondence in screenshot by enlarging visual bookmark). I believe this presents a security risk on shared computers


VERSION
Chrome Version: Latest/Stable, Windows 7, SP3

REPRODUCTION CASE
Start with clean history and frequently visit pages for bookmark consideration.
They will become viewable on Google homepage.

Sample attached
IMG_0018.PNG
237 KB View Download

Comment 1 by elawrence@chromium.org, Feb 6 2018

Components: UI>Browser>NewTabPage Privacy
Signing out of sync has no impact on locally-stored data like History (and thus the screenshots of the new tab page); see https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Signing-out-of-Chrome-does-not-delete-previously_synced-data

The mitigation for information disclosure via screenshots of the new tab page is noted in  Issue 670488 -- basically the screenshots are set to a very low resolution.

Comment 2 by elawrence@chromium.org, Feb 6 2018

Mergedinto: 670488
Status: Duplicate (was: Unconfirmed)
Summary: Security: Site thumbnails not cleared by signing out of Chrome (was: Security: Google Chrome showing behind login screenshot on homepage.)
Project Member

Comment 3 by sheriffbot@chromium.org, May 16 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment