Thumbnails showing sensitive client information
Reported by
navya.ga...@gmail.com,
Apr 13 2018
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce the problem: What steps will reproduce the problem? (1)Log in to any site (2)use it most number of times and make is the most visited URL on your computer (3)The thumbnail appears with the logged in information - like your name, details on the page. Suppose if its your email - the screenshot/thumbnail will show the emails when enlarged. What is the expected behavior? What went wrong? Vulnerability Details: Please provide a brief explanation of the security issue. The thumbnails show the sensitive information from the application such as client name and balances on the account. We are using cache control headers as "no-cache, no-store, must-revalidate". Please let us know if there is any other approach a developer can follow to stop this from happenening. What steps will reproduce the problem? (1)Log in to any site (2)use it most number of times and make is the most visited URL on your computer (3)The thumbnail appears with the logged in information - like your name, details on the page. Suppose if its your email - the screenshot/thumbnail will show the emails when enlarged. Did this work before? N/A Chrome version: 65.0.3325.181 Channel: stable OS Version: 10.0 Flash Version:
,
Apr 16 2018
Able to reproduce this issue on reported version 65.0.3325.181 and on latest canary 68.0.3397.0 using Windows 10, Mac 10.13.3 and Ubuntu 14.04. This issue is seen from M-60. Hence considering this issue as Non-Regression and marking as Untriaged. Thanks!
,
Apr 16 2018
Hi, Is there any workaround from application side to prevent these pages to come in thumbnails
,
Apr 16 2018
Note that physically local attack[er]s are specifically not part of Chrome's threat model, see https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model If you're more worried about people looking over your shoulder and seeing what pages you visit, there are various Chrome extensions that will change your new tab page. Closing, as I don't believe there's anything actionable here.
,
Apr 16 2018
Can you help us from application perspective if we can do anything to prevent these thumbnails from showing the sensitive information.
,
Apr 16 2018
I'm sorry, I don't know what "application perspective" means. Who is the attacker in this scenario? Just showing sensitive information to the actual user is not typically a problem.
,
Apr 16 2018
For example if a user logs into his/her bank account on a public computer, logs off and leaves. And then someone else open chrome, will be able to see the information in the thumbnail. From application perspective, are there any headers we can use that can prevent chrome from taking the screenshot of the page. Please let us know. Thank you.
,
Apr 16 2018
Ah, you represent the website that's having a thumbnail of it cached, I see, I misunderstood initially. Seems more reasonable, though I'm not aware what our current approach. Looks like other's have had this problem before, see https://stackoverflow.com/questions/40612490/how-to-control-the-screenshots-of-my-website-in-the-recently-used-websites-list Reopening
,
Apr 16 2018
+desktop NTP TL
,
Apr 17 2018
In addition to the comments that skym@ has already made, I'd note that we're aware of the concern with thumbnails and are working on an approach to address it. We don't have a recommended approach to prevent a site from being snapshotted, but I'd like to note that the image is very small, 308x192px (2x 154x96), which is usually small enough to make text unreadable.
,
Apr 17 2018
Thanks for the update, Ramya. But few numbers/text (balances, username, account numbers) are in good enough size - readable from the thumbnail when enlarged and this is a security concern. Please keep us posted.
,
Apr 17 2018
Sure. In the meantime, it may be worth reminding site users to use an incognito tab on public computers, and if not, that any thumbnails can be deleted by clicking on the X at the top right.
,
Jun 20 2018
Hi Team, any update on this bug ? When are you planning ti fix this ? Please let me know. Thanks.
,
Jun 20 2018
,
Jun 20 2018
This issue is no longer applicable starting in M69 due to new UI.
,
Jun 21 2018
Hi Team, Do we need to upgrade the browser version for this to be effective or it gets upgraded automatically? Please let me know. Thanks.
,
Jun 21 2018
You'll need to upgrade when M69 ships in September. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by sindhu.chelamcherla@chromium.org
, Apr 16 2018