This vulnerability enables to make a link which downloads a potentially malicious file without user confirmation.
Reported by
karlhein...@gmail.com,
Jun 25 2016
|
|||
Issue descriptionVULNERABILITY DETAILS This vulnerability enables us to craft a link which downloads a potentially malicious file without user confirmation. VERSION Chrome Version 50.0.2661.102 (64-bit) Operating System: OS X El Capitan 10.11.5 REPRODUCTION CASE Step 1: Copy the share link of the malicious file from Google Drive. Example: https://drive.google.com/open?id=0ByB8ANAP9wwnYWtyREg0ZmtUd1E Step 2: Change the "open" parameter with "uc". The resulting link is as follows https://drive.google.com/uc?id=0ByB8ANAP9wwnYWtyREg0ZmtUd1E Step 3: Send this link to anyone, if the victim uses Chrome and clicks on the link, the malicious file gets downloaded without his confirmation. Notice that I used a simple JS file but it could be an arbitrary executable. Alternative link: https://drive.google.com/uc?export=download&id=0ByB8ANAP9wwnYWtyREg0ZmtUd1E This link represents the same problem with some additional parameters which may or may not have additional security implications in the implementation.
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by vakh@chromium.org
, Jun 27 2016