Issue metadata
Sign in to add a comment
|
Browser Security issue in Desktop Notification with multiple user profile
Reported by
ashik.em...@gmail.com,
Aug 13
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Steps to reproduce the problem: 1. Need to config Browser with multiple user profile. 2. Click Exit and Childlock. 3. In this state if any desktop notification appears from Facebook/YouTube or any other site, click on the Desktop Notification. 4. It will logged in directly bypassing the Childlock security feature. What is the expected behavior? User Profile Credentials/Password must be entered to login to the Browser in Childlock State. Though it is clicked on the Desktop Notification. What went wrong? This is absolutely a big security whole for the Browser with multi user/Childlock security. Did this work before? N/A Chrome version: 68.0.3440.106 Channel: stable OS Version: 10.0 Flash Version: This is vulnerable of Browser's Childlock security features. Please resolve the issue.
,
Aug 13
Cordeiro, this is an issue on Legacy supervised users. +Zach
,
Aug 13
I added a Security_Severity-Medium label. escordeiro@chromium.org, please feel free to remove these security labels if you think it is more appropriate to treated as a functional bug. Thanks!
,
Aug 13
,
Aug 14
,
Aug 17
Supervised user profiles, which have the "exit and childlock" feature, are well on their way to deprecation on Chrome desktop in M70 (and shortly after that on ChromeOS as well): https://bugs.chromium.org/p/chromium/issues/detail?id=866578 I propose we do not address this particular bug.
,
Sep 1
escordeiro: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 1
I agree we shouldn't fix this as SU are being deprecated. I'm going to wontfix, feel free to reopen if anyone disagrees.
,
Dec 9
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Aug 13Owner: brunokim@chromium.org
Status: Assigned (was: Unconfirmed)