Issue 630054 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	vakh@chromium.org
Closed:	Jul 2016
Cc:	kerrnel@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Android
Pri:	2
Type:	Bug-Security
Via-Wizard Arch-x86_64 allpublic

Remove permission "Download files without notification"

Reported by igor1201...@gmail.com, Jul 21 2016

Issue description

Steps to reproduce the problem:
When visiting to some sites with Google AdSense, browser can automatically download file important-browser-update.apk (1.png, 2.png, 3.png, 4.png) with malware.
2. 
3. 

What is the expected behavior?

What went wrong?
It happens because browser has permission "Download files without notification". It's unacceptable and flagrant violation of security, especially for users with Android 5.0 that can't control permissions. Imagine that some users don't know about malware and can believe that is real browser update.
Please, remove permission "Download files without notification" for security of users.

Did this work before? N/A 

Chrome version: 54.0.2800.0  Channel: canary
OS Version: 5.1
Flash Version:

	1.png 279 KB View Download

	2.png 260 KB View Download

	3.png 98.9 KB View Download

	4.png 91.5 KB View Download

	5.png 93.1 KB View Download

	6.png 88.3 KB View Download

Comment 1 by kerrnel@chromium.org, Jul 21 2016

Owner: vakh@chromium.org

Varun, should safe browsing have caught this on Android? From the screenshots, the user appears to be running Chromium, not Chrome, if that makes a difference.

Comment 2 by vakh@chromium.org, Jul 21 2016

Cc: kerrnel@chromium.org

On Android, Chrome uses internal APIs for SafeBrowsing detection. Chromium can't use those APIs on Android so right now, SafeBrowsing protection isn't available in Chromium on Android.
And, to me, the rest of the issue (allow "Download files without notification") is working as intended.

Comment 3 by kerrnel@chromium.org, Jul 21 2016

Status: WontFix (was: Unconfirmed)

Based on Varun's information, this is a WontFix. Download is as intended, and Chromium won't have safe browsing.

Comment 4 by igor1201...@gmail.com, Jul 22 2016

OK, I understood. Thanks for the explanation.
Sorry for my very emotional style of first comment, but I didn't think that is not a hole in security. APK malware downloads without my permission, and it's shocking.
Yeah, I know that common people don't use Chromium in majority.
I can only hope that it'll be fixed in the future (maybe by setting some filter for APK files or just warning, like the Android option "Allow installation of apps from unknown sources").

Project Member

Comment 5 by sheriffbot@chromium.org, Oct 28 2016

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 630054 link

Issue metadata

Remove permission "Download files without notification"

Issue description

Comment 1 by kerrnel@chromium.org, Jul 21 2016

Comment 1 Deleted

Comment 2 by vakh@chromium.org, Jul 21 2016

Comment 2 Deleted

Comment 3 by kerrnel@chromium.org, Jul 21 2016

Comment 3 Deleted

Comment 4 by igor1201...@gmail.com, Jul 22 2016

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, Oct 28 2016

Comment 5 Deleted

Sign in to add a comment