Attacker can change the preferred network in guest mode and it will persist for future logins. This is related to bug # 595563
Chrome Version: 49.0.2623.111
Operating System: 7834.66.0 stable parrot - ChromeOS
1. Login as Guest.
2. Remove preferred Wifi network, and add a new one.
3. Make the new network preferred.
4. Reboot, and login as guest again, the new network will be used.
5. Reboot as login as a regular user, the new network will be used.
Attack scenario would be a public place like a library or Starbucks with a shared ChromeBook available for users. The attacker would setup their own network with a sniffer and an MITM proxy, and then will switch the public ChromeBook to use his/her network. All subsequent users will default to the new network.
An additional level of exploitation would occur if a webpage or download file can get access to the "chrome.networkPrivate" APIs, and can modify these settings without physical user access.
This may be someone mitigated by not allowing guest users to change network settings, but should still be fixed.
Original ChromeOS design document for security specifically addresses this case:
"Only the Owner should be able to change system settings. We don't want random users able to add to the whitelist, set the device to promiscuous mode, or reset the default network."