New issue
Advanced search Search tips

Issue 643165 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Sep 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Allowing an authorized user to view an unauthorized google drive on a managed device

Reported by alex37...@gmail.com, Sep 1 2016 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
This bug allows an authorized user to access Google Drive for an unauthorized account on a Chromebook where doing so is prohibited by the system admin

VERSION
Chrome Version: 52.0.2743.116 (Official Build) (64-bit) Stable
Operating System: Platform 8350.68.0 (Official Build) stable-channel kip
Firmware Google_Kip.5216.227.

REPRODUCTION CASE
All I know is how I caused this to occur, when I duplicate the web page the bug does not occur. Therefore I am going to attach a list of instructions for how to replicate. If this does not meet your criteria, sorry. I did this on a school owned Chromebook, and may refer to it as such.
Make sure you are logged into the Chromebook with  both your approved(school account), and unapproved(personal account)-it is possible to log into both, just not access the google drive on the approved account normally
Go to a different computer(probably phone)
Share a doc using the send a copy link to your approved account on the restricted Chromebook(school account in this case)
Open the link in that email finding you have opened a doc as your restricted self, and not as the approved account. You can edit and do anything as the unapproved person
Then turn off the WiFi on the Chromebook to disconnect from the internet
To access google drive click the To Google Docs button in the top left corner to go to google docs
Then click the To Google Drive button on the google docs upper left corner menu
Once you are in Google Drive as the unapproved person, turn the WiFi back on
You now have full access to google docs
Notes:
Once back online, reloading the webpage will not work, and duplicating the tab will not produce a second authorized tab
However as long as the tab stays open and is not refreshed, Google Drive will work, and documents can be opened and edited even while connected to the internet

Comment 1 by vakh@chromium.org, Sep 2 2016

Status: WontFix (was: Unconfirmed)
Hello there, thanks for reporting this issue.
Unfortunately, I am unable to follow the steps you described so I am going to mark this issue as WontFix.
If you have more reliable and clearer instructions to reproduce this issue, please feel free to re-open the issue with those details and we'll be happy to triage it again.
Project Member

Comment 2 by sheriffbot@chromium.org, Dec 9 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment