New issue
Advanced search Search tips

Issue 923034 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jan 17
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: Authentication bypass in Incognito mode

Reported by praves...@gmail.com, Jan 17 (5 days ago) 

-------------------------

VULNERABILITY DETAILS

When a user authenticates on any website in incognito mode of the google chrome, it is expected that his session is private, although that is not happening, once user is authenticate the internal URL of website gets accessible on new incognito window.
Expectation here is , every incognito window should ask for new authentication.


VERSION
Chrome Version: [71.0.3578.98 (Official Build) (64-bit)]
Operating System: [Windows 10 Gold Engineering v6]

REPRODUCTION CASE

1. Open chrome in incognito mode.
2. Login to any application for example amazon.in
3. copy any post authentication URL.
4. Open another incognito window.
5. Paste the copied URL

Actual behavior : Page is successfully rendered
Expected : login page should be displayed. 

CREDIT INFORMATION
Externally reported security bugs may appear in Chrome release notes. If
this bug is included, how would you like to be credited?
Reporter credit: [Pravesh Jha]
Incognito_Issue.png
161 KB View Download

Comment 1 by jdeblasio@chromium.org, Jan 17 (5 days ago)

Components: Privacy
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: WontFix (was: Unconfirmed)
Hi there. This isn't a security issue, and is works-as-intended. Please see https://support.google.com/chrome/answer/95464 for more info. In particular, Incognito remembers your browsing session across all incognito windows until you close all of them. As soon as you close the last incognito window, your history is forgotten.

Sign in to add a comment