New issue
Advanced search Search tips

Issue 831991 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Apr 2018
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Password change remove additional layer of security

Reported by aa...@architrongroup.com, Apr 12 2018

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
When I try to change my password, I am redirected to a link for changing password. It confirms my password but on the same page. So when I change my account (incase I own more than 2 accounts) instead of going into my gmail page, I go to change my password page of the account I tried login into. I feel than changing password should only be accessed when you are into gmail and not from mere changing account. This remove additional security layer as I can bypass login into gmail to change password.  

VERSION
Chrome Version: [x.x.x.x] + [stable, beta, or dev]
Operating System: [Please indicate OS, version, and service pack level]

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers,
exception record]
Client ID (if relevant): [see link above]

 
d1.JPG
50.3 KB View Download
d2.JPG
72.9 KB View Download
d3.JPG
83.6 KB View Download
d4.JPG
76.6 KB View Download
Status: WontFix (was: Unconfirmed)
This does not reflect a security vulnerability in Google Chrome. You're trying to report an issue with the Google Account website. 

Issues in non-Chrome sites and services operated by Google can be reported here: https://goo.gl/vulnz

For what it's worth, it's not clear what problem you're attempting to report here. For bug reports, please include a full screenshot (including the URL bar) as well as a textual description of what you're doing (e.g. "I click on the account switcher at the top right, then choose "foo@bar.com" from the dropdown...") between each screenshot.
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 20

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment