Cast Streaming extension being enabled and updated automatically over insecure channel
Reported by
marek.se...@gmail.com,
Mar 20 2016
|
||
Issue descriptionPRIVACY ISSUE Chrome Canary automatically enabled (and I don't know when) Cast Streaming. Extension, which is not listed in chrome://extensions or chrome://plugins. Only mention I've found is in chrome://flags under title "Cast Streaming hardware video encoding" When Chrome Canary is started, it automatically fetches latest version of CRX for Chrome Cast plugin over insecure HTTP protocol (see full wireshark dump lower). Privacy issues from my POV: 1) Chrome Cast extension exists built-in and cannot be disabled by standard means 2) Update process is done over insecure HTTP protocol (information leak) VERSION: Chrome Version: 51.0.2673.0 canary (64-bit) - and previous Operating System: OSX 10.10.5 latest patch level, 64-bit REPRODUCTION STEPS Start up chrome and watch firewall/network monitor to mention "http://redirector.gvt1.com/crx/blobs/..." URL FULL Wireshark dump GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0swKAzb3KcuJ8GizR3XY3LLuJfiJzLNDj_ji1aWUDeGHBdIN_TAVFhwePtVA4WtATHAD1XXQqOLoQB6frm4jxTAMZSmuVI4WrvDCdq1yGoU2CXbR-tiHFe-Q/extension_5116_315_0_0.crx HTTP/1.1 Host: redirector.gvt1.com Connection: keep-alive DNT: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2673.0 Safari/537.36 Accept-Encoding: gzip, deflate, sdch Accept-Language: en,cs;q=0.8 HTTP/1.1 302 Found Date: Sun, 20 Mar 2016 10:12:22 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Location: http://r8---sn-2gb7ln7l.gvt1.com/crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0swKAzb3KcuJ8GizR3XY3LLuJfiJzLNDj_ji1aWUDeGHBdIN_TAVFhwePtVA4WtATHAD1XXQqOLoQB6frm4jxTAMZSmuVI4WrvDCdq1yGoU2CXbR-tiHFe-Q/extension_5116_315_0_0.crx?cms_redirect=yes&expire=1458483142&ip=80.250.30.162&ipbits=0&mm=31&mn=sn-2gb7ln7l&ms=au&mt=1458468620&mv=m&nh=IgphcjAxLnByZzAyKgkxMjcuMC4wLjE&pl=19&sparams=expire,ip,ipbits,mm,mn,ms,mv,nh,pl&signature=387559FD073A7BB457A3F85F481644E43CB89847.39AA73BA9FAE0C968F342C5372963A4432965005&key=cms1 Content-Type: text/html; charset=UTF-8 Server: ClientMapServer Content-Length: 757 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://r8---sn-2gb7ln7l.gvt1.com/crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0swKAzb3KcuJ8GizR3XY3LLuJfiJzLNDj_ji1aWUDeGHBdIN_TAVFhwePtVA4WtATHAD1XXQqOLoQB6frm4jxTAMZSmuVI4WrvDCdq1yGoU2CXbR-tiHFe-Q/extension_5116_315_0_0.crx?cms_redirect=yes&expire=1458483142&ip=80.250.30.162&ipbits=0&mm=31&mn=sn-2gb7ln7l&ms=au&mt=1458468620&mv=m&nh=IgphcjAxLnByZzAyKgkxMjcuMC4wLjE&pl=19&sparams=expire,ip,ipbits,mm,mn,ms,mv,nh,pl&signature=387559FD073A7BB457A3F85F481644E43CB89847.39AA73BA9FAE0C968F342C5372963A4432965005&key=cms1">here</A>. </BODY></HTML>
,
Mar 21 2016
To clarify, Cast streaming (used to stream captured tab content to ChromeCast devices) only happens when users explicitly start mirroring tab. Media router extension is whitelisted to use tab capturing and cast streaming.
,
Mar 22 2016
Cast streaming is hosted as a component on CWS that's why it's distributed via HTTP. Normal extensions in the Chrome Web Store (CWS) are distributed via HTTPS. CWS signs all CRX with the private key and Chrome will validate the downloaded CRX on client side with the public key to ensure integrity. So what you have observed is the expected behavior.
,
Mar 22 2016
Hello, thanks, there are two issues in this report, Cast extension (or Media Router extension) being downloaded/updated and it being enabled automatically. Is there any way to solve second part of the issue? I'm not aware of any way I could disable / uninstall the Media Router / Cast extensions. Thank you |
||
►
Sign in to add a comment |
||
Comment 1 by battre@chromium.org
, Mar 21 2016Owner: lottie@chromium.org
Status: Assigned (was: Untriaged)