Desktop notifications shouldn't be shown for locked profiles
Reported by
vivek202...@gmail.com,
Sep 21 2016
|
||||||||||
Issue descriptionVULNERABILITY DETAILS (Kindly go through the video file https://drive.google.com/file/d/0B_GrGDmkqkC4NmJGX3ZVS1gzbms/view?usp=sharing for more detailed explanation) Google Chrome has a feature to lock user's Chrome SESSION/PROFILE using CHILD LOCK button (profile management system).This article briefly describes the feature- https://support.google.com/chrome/answer/3463947?hl=en)- Here the user has to provide the google account password to unlock the CHILD LOCKED session if it is locked. This security bug allows anyone to have access to locked session/profile without the password. VERSION Version 53.0.2785.116 m OS: Linux ubuntu, Windows 8.1 REPRODUCTION CASE 1) ENABLE SITE NOTIFICATIONS Allow sites to show notifications (go to ->settings-content settings-notifications). 2) ENABLE CHILD LOCK IN NEW PROFILE MANAGEMENT SYSTEM Enable new profile management system by - In a new tab enter the following address “chrome://flags” Press Ctrl+F and search for “Enable new profile management system“ Click the link to “Enable” the feature (on dev, change ‘default’ to ‘enabled’) Finally, press the “Relaunch Now” button at the bottom of the browser window On relaunching chrome, User Manager window will appear and ask for a password of google account.So with this settings chrome should not allow any one to access the chrome child locked session without the password. Type in your google password and unlock your profle. NOTE -Check the EXTENSIONS in settings tab.They are visible. Child lock the profile now. CASE 1 (clicking on notifications) 3) Wait for the notification from websites.(I have used LinkedIn notifications for demonstration in the video attached) 4) When the notification pops up in the lower right corner of desktop,click on it. Expected-Link should open in chrome,but as the session/profile is locked, chrome should ask for password to authenticate user and then open the website. Actual-After clicking the notification ,chrome doesn't authenticate the session/profile and opens the locked profile without password. NOTE-Check the EXTENSIONS in settings tab.They are invisible.Extensions are not visible in this case but history,bookmarks ,passwords are visible. CASE 2 (Clicking on links from third party apps) Chrome session/profile is child locked again 5) Open notepad or pdfreader app and type in any url like googlee.com and then click on that link.If chrome is your default browser the link should open in chrome. Here after clicking on the link chrome asks for the profile password to unlock the session and then opens the link.So authentication takes place in this scenario. (See the video for more issues in this case https://drive.google.com/file/d/0B_GrGDmkqkC4NmJGX3ZVS1gzbms/view?usp=sharing )
,
Sep 21 2016
Thanks for the clear report and the excellent demonstration video! From a security point-of-view, profile switching is not a security boundary (an attacker with physical access to the PC could just grovel the filesystem to steal state from other profiles) but this certainly looks like a functionality bug in this feature. Assigning to component.
,
Sep 22 2016
I didn't get how it's a functionality bug if the feature works fine but password authentication is not done.(the other bug about clicking on links in third party apps,and link doesn't open is surely a functionality bug, but not the bug about notification links.It works as expected but authentication is not done) If people are locking their profile, means they want total security/privacy about their session from strangers,family and friends. The purpose of this functionality is to protect profile privacy from family,children(child lock),supervised users or friends and not from strangers which is not 100 % achieved due to this bug.Its not about the attacker stealing state or password.Its about protecting user's profile history,passwords from their own friends,family and children or supervised users. As per your explanation in the comment you mean to say for eg. if someone finds a way to unlock android screen pattern lock, google will say no its not a security bug,its a functionality bug because it allows the attacker to access information in the phone if he has the access to the phone.Is it so.The phone screen lock is meant protect the access to phone,and so the child lock feature to protect access to profiles. Google markets the feature saying "block account access to supervised users" https://support.google.com/chrome/answer/3463947?hl=en which is not achieved due to this bug and you say its not a security bug.I lock my profile every time at home or office to protect my privacy and same with many people. I can't tolerate that some bug allows peolpe to access my profile though child locked when google says no one will have access to it if you child lock.Thats why spent some time to report the bug so people can be safe. You should surely reconsider this!!
,
Sep 23 2016
> If people are locking their profile, means they want > total security/privacy about their session from strangers, > family and friends. As explicitly noted in https://support.google.com/chrome/answer/3463947?hl=en "We recommend sharing your computer only with people you trust. "Exit and childlock" helps protect your privacy, but childlock is not a strong security measure against strangers." >I didn't get how it's a functionality bug if the feature > works fine but password authentication is not done. It's a functionality bug because the feature *does not* work as expected, because, as you've noted, password prompting is expected but isn't happening when the user responds to a notification. The reason it is not a security bug is that the Child Lock is not a security boundary; in Windows, the Windows Login User Account is the security boundary. An attacker running code within a single Windows Login User Account has many different ways to steal any data to which your account has access. If you wish to securely share your device with a determined attacker, the only way to do so is to have them login to Windows using a different account (e.g. Guest). > I lock my profile every time at home or office to protect my privacy The proper mechanism for doing so is using a password on your Windows user account and locking your PC using the Windows mechanism for doing so (e.g. hit WindowsKey+L). > ... you mean to say ... android screen pattern lock ... No, Android is not Windows. Logging into a Android or Chromebook Device is akin to a Windows User Account Login; it is deemed a security boundary.
,
Sep 27 2016
+ treib @treib: Shall we take a look? I admittedly don't know much about the "new profile management system". But I saw that it is available for years now. Not sure if this will ever launch and if it's worth fixing this issue.
,
Sep 27 2016
The "new profile management" has been launched for a while - changing that flag from "default" to "enabled" shouldn't actually change anything anymore. Adding some folks who worked on this, and who might know how hard it'd be to fix this.
,
Sep 27 2016
+mahmadi who works on the new user manager Is this a correct characterization of the bug: when you have locked a profile via "Exit and childlock," you can still open the profile without a re-auth by clicking a link from an external app or clicking on a desktop notification? mahmadi@ - can you check this out? Are you able to repro?
,
Sep 29 2016
As with the other non-core functions that need to be blocked for Locked Profiles (such as, for example, the App Launcher) has to be implemented in the feature's code. (so in this case, in the notification code's display of the notification) It's necessary to find the Profile the notification is for, or at least its path. profile_window.h offers a namespaced function IsProfileLocked() which should be checked before showing the notification.
,
Sep 29 2016
Yeah ,If 2 profiles are created and both have enabled the notifications from the same website or different website,chrome can't decide if the notification is from which profile account and opens the link in admin/main profile, though the notification is from the other profile's website.
,
Sep 29 2016
#8 - ok, you're basically saying this change needs to be made at the desktop notifications code level, not the user manager code level, correct? What about clicking external links? How can we handle that? If anything, that seems more concerning to me than desktop notifications.
,
Sep 30 2016
Re: ewald@ #10 - yes, change should be made at desktop notifications. We should not even be showing the notification if the Profile is locked. Although there should be checks in the Profile opening process (various code in profile_window or startup_browser_creator) that ensure that, even if some UI surface tried to open a Browser window for a Profile that's locked, we re-direct to the user manager.
,
Sep 30 2016
Ah I see, I misread the description. I thought clicking an external link opened the profile directly (circumventing child lock). The bug with external links is that the link doesn't actually carry through and open in the profile after you re-auth in the user manager. So that's a separate bug (filed Issue 651855 to track). +rpop@ do you know who owns the desktop notifications code?
,
Sep 30 2016
I believe it's peter@ and owencm@.
,
Oct 13 2016
>Although there should be checks in the Profile opening process >(various code in profile_window or startup_browser_creator) that >ensure that, even if some UI surface tried to open a Browser window >for a Profile that's locked, we re-direct to the user manager. Should that get its own bug too? As shown at 3:54 in the demo video, when the user clicks the notification, they do appear to be logged into the locked profile.
,
Oct 13 2016
We've put this on the list for Q4 — is there a particular release that this would be important for from a product PoV? My gut feel is that we need a notification blocker that queues notifications when the profile they're being shown for is locked.
,
Oct 13 2016
I'll caution you that very, very few users use Profile Lock, as it's gated on Supervised Users which are not widely used. You can look in UMA for the Profile.LockedProfilesDuration metric, but I'll give you a hint: it's a very small number. Take that into account when determining how much to invest in your solution.
,
Oct 14 2016
Child accounts should launch soon though, which will probably increase the usage of profile lock.
,
Dec 19 2016
--Chrome Identity automated triaging-- This bug is Assigned and has gone one month without any activity, so it is being moved to Available to indicate that it is not actively being worked on. If you are working on this bug, please mark yourself as the owner and move back to Assigned. Please see https://goo.gl/78kbny for more details. Please remove the Services>SignIn or UI>Browser>Profiles components if this bug isn't related to Chrome Identity. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 24 2017
Issue 714402 has been merged into this issue.
,
Jul 6 2017
Issue 738934 has been merged into this issue.
,
Aug 3 2017
Issue 752090 has been merged into this issue.
,
Jan 5 2018
This security hole opens the supervising profile without a password, even when locked, for notifications originating from a supervised profile. See the forum discussion: https://productforums.google.com/forum/#!topic/chrome/aSPZCe22jGI
,
Aug 1
,
Sep 3
--Chrome Identity automated triaging-- This bug is Assigned and has gone one month without any activity, so it is being moved to Available to indicate that it is not actively being worked on. If you are working on this bug, please mark yourself as the owner and move back to Assigned. Please see https://goo.gl/78kbny for more details. Please remove the Services>SignIn or UI>Browser>Profiles components if this bug isn't related to Chrome Identity. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by vivek202...@gmail.com
, Sep 21 2016