Issue metadata
Sign in to add a comment
|
Security: Able to sync other clients passwords and website sign-in credentials from syncing with another person's property.
Reported by
spsinw...@gmail.com,
Jul 25
|
||||||||||||||||||
Issue descriptionSteps to reproduce the problem: CASE On a number of times I have been able to obtain other clients password history and website identity and sign on information. I have it saved in my account and it has multiple unknown persons sign on information of passwords and account name or numbers. Has been able to obtain many people's passwords and sign on information from their accounts from Google through syncing it with my account. I also have been able to get a few accounts pictures from Google photos as well. I have been able to get full control of bank information and much more personal information from all apps that had saved information. I am able to send the security leak and the way I have been able to get the security information. I also am wondering if it would be possible to get rewarded for the security information and how it's done. What is the expected behavior? Expected behavior is not being able to obtain or use someone else's sign-in information and passwords successfully. Also have been able to save most of the security information and sync up with my account. What went wrong? I have been able to obtain and save random but highly private information and passwords for secure sign-ins. All information that is saved on your saved passwords is able to be stolen and saved to be used by anyone. Did this work before? N/A Chrome version: 67.0.3396.87 Channel: stable OS Version: 7.1.1 Flash Version: 7.1.1.08.92.P2.171030.3632A-MPCS I can definitely demonstrate how to be able to obtain the security information and passwords. Would like to know if finding out said security leak is able to be rewarded for the information.
,
Jul 25
Thanks for reaching out. There's no way for us to know if this would qualify for a reward without the details of the vulnerability, but what we look for is outlined at https://www.google.com/about/appsecurity/chrome-rewards/ It may also be worth having a look through our security faq for additional information. It's available at https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md In particular, for the type of attack you're describing, it's common that there's some physically local element to it where chrome may be unable to defend itself in any meaningful way. If that's not the case, we'd likely be interested. Since there's nothing actionable in this report, I'm going to close it out. Please file a new bug with details on the vulnerability and we'd be happy to take another look.
,
Jul 25
So basically I am being blown off or etc because I have NM or completely disclosed EXACTLY how to do this vulnerability or bug etc. So even tho7gh I told you at Google that I can and have been able to obtain other person's secure sign-ins and even all photos as well and I can get all future payments and photos to sync to my account with out the person even knowing, it's nothing serious? Wow that makes me feel better about having my account information with Google I'll tell you that!
,
Nov 1
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by mbarbe...@chromium.org
, Jul 25