Issue metadata
Sign in to add a comment
|
Security: CrOS in developer mode allows kiosk apps to exit to a command prompt
Reported by
raniel...@gmail.com,
Oct 17 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS CrOS devices in developer mode allow users to leave a kiosk app via virtual terminals, thus defeating kiosk mode. Once the virtual terminal is open, the user can log into the device, including as root. This happens in all versions of CrOS, not just the dev channel. Kiosk app developers rely on kiosk mode to ensure security of content, etc. which is severely compromised in this situation. VERSION chrome 55.0.2883.7 (Official Build) dev (64-bit) chrome OS 8872.6.2 (Official Build) dev-channel cyan REPRODUCTION CASE 1. Put a CrOS device into developer mode following instructions at https://www.chromium.org/chromium-os/poking-around-your-chrome-os-device 2. Install a kiosk app such as https://chrome.google.com/webstore/detail/sample-test-kiosk-app/melmempfncibgepnoebbmgklmdogpnoj 3. Launch the kiosk app and press ctrl-alt-f2, ctrl-alt-f3, or ctrl-alt-f4. All 3 of these combination open a new virtual terminal and allows you to log into the device. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
,
Oct 18 2016
This is indeed working as intended. Kiosk mode is not designed with the implication that of restricting local access via dev mode. In case you might find this useful: Note that the Verified Access API allows apps to cryptographically attest to a server that the device in question is running in verified mode: https://support.google.com/chrome/a/answer/7156268 AFAIK, Verified Access is only available on remotely managed devices at this point though (but feel free to file a feature request detailing your use case).
,
Oct 18 2016
Comment #2 is contradictory to https://developer.chrome.com/apps/manifest/kiosk_enabled: When a Kiosk App is configured to run on Chrome OS using Single App Kiosk Mode, the user has no control over the app’s lifecycle. The user cannot exit the app or switch to another task. However, as an app developer, you can offer a "logout" or "exit" button within the app to close all its windows, which terminates the session and returns the user to the login screen.
,
Oct 18 2016
Re comment #3: I agree that the quoted documentation fails to mention developer mode as an edge case. Filed issue 656970 to track the documentation update.
,
Oct 18 2016
The edge case is where the security issue lies, and needs to be fixed.
,
Oct 18 2016
,
Oct 18 2016
This remains a WontFix, sorry. As explained elsewhere, relying on client-enforced security is fragile. Even if we were to put a check that only allows installation of kiosk apps in verified mode, that'd still be trivially circumvented by running modified software on a device (or installing official software in dev mode and slightly modifying it). The only remedy that I'm aware of which might give you somewhat meaningful "security" is to gate content access for a device on it proving that it's a legit Chrome OS device in verified mode to the server via Verified Access. Note that even that can be overcome by a reasonably sophisticated attacker.
,
Oct 20 2016
,
Nov 3 2016
Per email discussion we'll look into exploring FR: https://bugs.chromium.org/p/chromium/issues/detail?id=656670 |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Oct 17 2016Components: UI>Shell>Kiosk
Owner: rickyz@chromium.org