Issue 635442 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Aug 2016
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	2
Type:	Bug-Security
Via-Wizard

Native Messaging doesn't verify the integrity of the called host application

Reported by anders.r...@gmail.com, Aug 8 2016

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Steps to reproduce the problem:
Well it simply does not verify the integrity of the host application

What is the expected behavior?

What went wrong?
This is a design issue

Did this work before? No 

Chrome version: 51.0.2704.103  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 22.0 r0

Comment 1 by och...@chromium.org, Aug 9 2016

Status: WontFix (was: Unconfirmed)

It seems like the scenario that this defends against would involve a compromise of the at least the OS user's account, at which point there are far more interesting things for an attacker than impersonating a host application.

Please see http://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

Comment 2 by wfh@chromium.org, Aug 9 2016

Labels: -Restrict-View-SecurityTeam

Comment 3 by anders.r...@gmail.com, Aug 9 2016

Pardon me but I guess I described the issue incorrect :-(

The issue is that there is no secure binding between the extension and the native application which makes it impossible creating a vetting infrastructure.

►

Issue 635442 link

Issue metadata

Native Messaging doesn't verify the integrity of the called host application

Issue description

Comment 1 by och...@chromium.org, Aug 9 2016

Comment 1 Deleted

Comment 2 by wfh@chromium.org, Aug 9 2016

Comment 2 Deleted

Comment 3 by anders.r...@gmail.com, Aug 9 2016

Comment 3 Deleted

Sign in to add a comment