Security: Reading Chrome cookies in plaintext without root access
Reported by
defaultn...@gmail.com,
Sep 28
|
||||||||
Issue descriptionVULNERABILITY DETAILS An actor with the ability to execute code on a user's machine can read the user's Chrome cookies for any profile in plain text. The method uses Chrome's Remote Debugging and Headless Chrome's option to set a user-data-dir. I understand that it's possible that this is an intended feature of Chrome, just thought I'd let you know anyway. VERSION Chrome Version: 59 stable+ Operating System: Windows, Linux, OS X (version independent to my knowledge?) REPRODUCTION CASE Instructions and proof-of-concept code attached (zip download of a git repo).
,
Sep 28
+skyostil re http://crbug.com/668932 , which is referenced in the details here.
,
Sep 28
Thank you for filing the issue! I have to say this is working as intended. The remote debugging protocol is meant to provide full access, including cookies, and running Chrome with a flag makes it work. I am surprised cookies can be read from a headful Chrome profile by the headless Chrome. We have plans to make profiles inter-operable, but that didn't happen yet. Maybe cookies are supported though, I didn't look too close.
,
Jan 5
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by dominickn@chromium.org
, Sep 28Components: Platform>DevTools
Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows