Thursday, May 4, 2017

Uncover (very) sensitive info from Google Chrome

In this post I am going to show how we can uncover very sensitive info from Chrome thumbnails in three easy steps. The current, can also be titled as what a bad user can see whenever he/she has physical access to your box.

Google Chrome take screenshots from sites we visited in order to provide them for easy & quick access on the new tab action (image 1).
Image 1: Ops, There is an e-banking thumbnail here!

In the above picture we can see that the 4th thumbnail indicates a logged-in screen-shot from an e-bank account. Also, note that the specific user has already logged-out from this bank-account but Chrome still keeps the screen-shot taken when the user was logged-in!

The question now is, how (and if) it is possible to enlarge this specific thumbnail to a more readable size. The answer to the above questions is "Yes we can", just pay attentions to the following two images. First (image 2), we delete all non-interested thumbnails (using the default Chrome browser developer tools - aka F12) in order to relocate out target thumbnail into the upper left corner.

Image 2: remove non-interested thumbnails
Then, we can just change the main IDs of the Class tags to a non-existence name in order to make the thumbnail change to its original size (image 3)...
Image 3: Just change some div IDs... and voila!

Note that the above info is just an example. Chrome will take screen-shots at any time, any site w/o asking your default permissions, independent you are logged-in or not! Thus, e-banking images, emails, blogs, personal and private sites can be exposed randomly!

I consider this as a violation of the first factor of the Security Triad, the Confidentiality! The above issue has been referred to Chrome Bugs Matrix references here, (currently Unconfirmed).