New issue
Advanced search Search tips

Issue 857536 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2018
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome homepage shows an email opened in Inbox by Gmail as a thumbnail.

Reported by athanasi...@gmail.com, Jun 28 2018

Issue description

VULNERABILITY DETAILS
Google Chrome shows a thumbnail of an email that I have opened once in my account at Inbox by Gmail web app instead of the Inbox by Gmail login page. Some malicious user can see text, images, the sender or other details of the specific email.

VERSION
Chrome Version: [67.0.3396.99] + stable
Operating System: [Please indicate OS, version, and service pack level]
Microsoft Windows 10 Enterprise Version 10.0.17134 Build 17134

REPRODUCTION CASE
I don't know how to reproduce it. I just used Inbox by Gmail as a normal user would do.
 
security_issue.png
345 KB View Download

Comment 1 by aarya@google.com, Jun 28 2018

Status: WontFix (was: Unconfirmed)
Click on cross on top right to disable it from showing it in new tab page. Not a security issue.

Comment 2 Deleted

I strongly disagree with your response and I think that this is a serious privacy issue that you need to address. Imagine of a computer in a libary with a single Windows account and Chrome installed. It lets the user of the pc see what the logged in area of a website that the previous user have visited looks like (showing images, text, etc which is especially critical if this is a web based email service as Gmail, Inbox etc - it means the user can see the emails of a previous user!).

Moreover I just found out that Chrome does this for all websites and not just Inbox by Gmail. As you understand this is a pretty serious privacy issue. Please consider this as a Coordinated Vulnerability Disclosure. My aim is for the world and its users to have secure software that does not give away their privacy. This is the reason I contacted you first and I didn't went public with a Full Public Disclosure. As per Coordinated Vulnerability Disclosure standards, I am giving you 90 days of time frame to fix the issue otherwise I will have to go public for the users best interest.

I'm here for any other information you may want.
Best Regards
Hi again,

As I see in Version 69 you have fixed the issue but you gave me no credits or bug bounty. Is this by mistake ? Or you just ignore me? 

Please look up into the issue and let me know. If I don't get a reply from you within 3 days I will consider that you just ignore me and I will go public with this.

Best Regards,
Athanasios Emmanouilidis
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 5

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment