New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 690567 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Feb 2017
Cc:
mastiz@chromium.org
tschumann@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome policy bypass

Reported by tsuserga...@gmail.com, Feb 9 2017 
VULNERABILITY DETAILS
This non-restricted feature in Chrome allows the user to bypass policies set for the device. From my testing this also appears to affect required extension and the extension blacklist/whitelist policies allowing simple bypass of many enterprise access control solutions.

VERSION
Chrome Version:
   Google Chrome   55.0.2883.105 (Official Build) (64-bit)
   Revision        0
   Platform        8872.76.0 (Official Build) stable-channel candy
Operating System: ChromeOS

REPRODUCTION CASE
Exact steps used to execute the bypass:
1) Browse to chrome settings page chrome://settings/syncSetup
2) Click on the "Encrypt all synced data with your own sync passphrase" bubble
3) Enter your own credentials (I used "test123" for testing) and press [Enter]
4) Chromebook screen should go black temporarily then return (Still logged in), however policies will not be in effect.

Comment 1 by palmer@chromium.org, Feb 9 2017

Components: Services>Sync Enterprise
Labels: Needs-Feedback OS-All
When you say "bypass of many enterprise access control solutions", do you mean that encrypting Chrome Sync data causes Chrome enterprise policy flags to stop working? Or do you mean that it causes some 3rd-party software to stop working? If the latter, what software? What policy goals are you trying to achieve?

Comment 2 Deleted

Comment 3 by tsuserga...@gmail.com, Feb 10 2017 

When the sync data is encrypted the enterprise policy flags stop being applied to the device. From there you can install blacklisted extensions, access developer tools (which should be restricted, the flag is supposedly set), and do all sorts of things that should be disabled by the enterprise policy flags. The primary issue is that required extensions also stop functioning, for example the internet access control extension iBoss for Chrome is no longer forcefully installed via policy and is then removable, or not installed at all on the device.

*Note: This was deleted and modified to reword and clarify some aspects from the original comment.

Comment 4 by tsuserga...@gmail.com, Feb 14 2017 

The issue only affects the current session on the Chromebook, when the user relogs enterprise flags do reinstate themselves.

Comment 5 by tsuserga...@gmail.com, Feb 16 2017 

Bug fixed on this Chrome version:
  Google Chrome	56.0.2924.87 (Official Build) (64-bit)
  Revision	0
  Platform	9000.82.0 (Official Build) stable-channel wolf

Comment 6 by palmer@chromium.org, Feb 16 2017

Status: WontFix (was: Unconfirmed)
Project Member

Comment 7 by sheriffbot@chromium.org, May 26 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment