Issue metadata
Sign in to add a comment
|
Security: Ability to Powerwash w/ keyboard shortcut when logged out without owner confirmation, thus wiping local downloads/partitions
Reported by
mndyp...@gmail.com,
Oct 16 2016
|
||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS A Powerwash on Chrome OS can be initiated by anybody (not just the owner) using the Ctrl + Alt + Shift + R keyboard shortcut on the login screen when a user is signed out. While this is what Google Support lists as the steps to Powerwash with shortcut keys (https://support.google.com/chromebook/answer/183084?hl=en), this leaves a glaring issue. Downloaded files (stored in Downloads in the Files app) and other partitions (like Ubuntu via Crouton) can be deleted without the owner's permission, knowledge, password, etc. Anybody with physical access could maliciously wipe local downloads. While Chrome OS is a cloud OS, avgerage users do download many files locally. If guest accounts do not have the ability to Powerwash via Settings menu, why should anyone who navigates to the login screen be able to? A possible sollution would be to disable the shortcut unless logged in or require Google Account credientials of owner be entered before a Powerwash is initiated. VERSION Chrome Version: 53.0.2785.154 + stable Operating System: Chrome OS REPRODUCTION CASE Ctrl + Alt + Shift + R when signed out and on the login screen. Following steps to Powerwash will wipe all downloaded files without any owner confirmation.
,
Oct 17 2016
This behavior is by design. See the helpcenter article here: https://support.google.com/chromebook/answer/183084?hl=en
,
Oct 17 2016
The design is highly dangerous then for Chrome OS devices used by multiple users. On a personal anecdote, I had a device Powerwashed by a guest user who was facing a bug, Google'd for instructions, and came across a Powerwash as a solution. The shared nature of Chrome OS devices clearly takes into account the idea that guest accounts shouldn't be able to Powerwash. In that case, why should anybody who can simply log out be able to wipe a device. This leaves Enterprise/managed devices culpuable for untraceable theft by simply wiping. Should there not be a security feature to restrict Powerwashes to device owners?
,
Oct 18 2016
Hi, the only guarantee we can make here is that guest accounts cannot easily access data that belongs to other accounts. When somebody else has physical access to the device, we cannot prevent them from wiping the device, or otherwise breaking it (for example, a guest user could also physically break the device). It is not easy to restrict powerwashing to the owner without breaking other legitimate use cases (for example, if owner of a device cannot be physically present, or if the owner forgets their password), so in general, we need to trust whoever is physically in front of the device.
,
Jan 24 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 15 2017
Issue 743582 has been merged into this issue.
,
Jul 15 2017
I have a concern that we are not considering other possible cases which are more likely to happen than someone's intent of actually physically breaking the device. 1. Accidental powerwash of device by guests affecting actual owner. 2. Intent of thieves to clear the stolen device contents. 3. Shared devices in school or college been poweredwashed with intent of clearing someone else's work. The description of support page has few special cases mentioned with specific intent in mind. I feel powerwash is much greater risk compared to changing of Channel within Chrome book. But for changing Channel from Stable to Beta, there is restraint for guest user but for powerwash it's open. |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Oct 17 2016Owner: rickyz@chromium.org