New issue
Advanced search Search tips

Issue 602097 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2016
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Malwares prevent inline extensions installations

Reported by la...@standsapp.org, Apr 10 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36

Steps to reproduce the problem:
1. go to a website that has an inline extension installation
2. run this code: chrome.webstore.install = null;
3. trying to install an extension from the site won't work

What is the expected behavior?
Trying to override this function will throw an exception.

What went wrong?
Inline extension installation won't work

Did this work before? N/A 

Chrome version: 49.0.2623.110  Channel: stable
OS Version: OS X 10.11.0
Flash Version: Shockwave Flash 21.0 r0

Example of an injected script from a malware that causes it:

https://bhd9.com/g4.php?snid=MjAyMDIwMjAyMDIwMzI0YTMwMzEzMDMwMzAzNTM3NDU0YzQ0NDIzMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==&rnd=932016

Comment 1 by kenrb@chromium.org, Apr 11 2016

Status: WontFix (was: Unconfirmed)
Thanks for the report.

Unfortunately, this is not something that Chrome can realistically defend itself against. If malware is present on the system and interfering with the behavior of the browser, any mitigations that Chrome attempts to use can potentially be circumvented by the malware.

Comment 2 by la...@standsapp.org, Apr 11 2016 

I thought that preventing an override of such important and basic functions is something that is simple to do and allows infected users to install extensions that help them protect against such malwares.
Hopefully you will reconsider in the future.

Thanks.
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 18 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment