Issue metadata
Sign in to add a comment
|
Security: Signing out of Chrome does not delete data
Reported by
itsma...@gmail.com,
Feb 7 2018
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS I downloaded Chrome on a Windows server on AWS cloud. The server is shared by multiple system administrators. I logged in to Chrome using "People" feature. After my work I signed-out of Google account and Google Chrome and shut the server instance off. Next day I started the server and started surfing another website, to my surprise, Chrome auto-filled my login details correctly and allowed me to login to that website. When I checked people menu under settings, it did not show me logged in. As next step to delete my information from server, I uninstalled Chrome and restarted the server. To ensure if my details were gone, I installed Chrome again from Google's website. As it was fresh install, People setting was empty. But again Chrome showed me form fill-in entries. Which means anyone accessing the server can login to any website for which my credentials are stored in my Google account. VERSION Chrome Version: Version 64.0.3282.140 (Official Build) (64-bit) Operating System: Windows Server 2016 Data Center edition - Microsoft Windows [Version 10.0.14393] REPRODUCTION CASE 1) Sign-in to Chrome. 2) Save some credentials to your google account. 3) Sign-out 4) Try logging in to same website for which the password was saved. Chrome offers to auto-fill correct password. I have attached the image showing: 1) At left tab, no one is signed-in to Chrome 2) At right tab, Chrome entered my correct credentials
,
Feb 7 2018
It is expected behavior that signing out of Chrome does not delete password manager and autofill entries unless you direct it to do so by checking the checkbox on the signout UI: https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Signing-out-of-Chrome-does-not-delete-previously_synced-data When you uninstalled Chrome, did you check the "Also delete your browsing data" checkbox shown by the uninstaller? Your screenshot in #1 does not show the top of the list (it's scrolled to the bottom). The top of the list has a dropdown that specifies how far back in time data should be deleted. You'll want to set the time range to "All time" instead of "Last hour". Sharing a single Windows login account with other users is never secure: https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model
,
Feb 7 2018
Thanks for the explanation. I agree with the explanation. Just a quick feedback, given widespread adaptation of digital technology by lot of not-so-cyber-educated people, it might be helpful for them if Chrome provides some alerts about such behavior with sensitive data. For example I know at least hundreds of people who can easily be tricked to login to someone else's computer giving away their sensitive data. And these people are not educated enough to find such technical FAQ. Your response solves my question, you can close the issue, thanks again.
,
Feb 7 2018
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 7 2018
,
Feb 7 2018
,
May 17 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by itsma...@gmail.com
, Feb 7 201834.9 KB
34.9 KB View Download