New issue
Advanced search Search tips

Issue 732171 link

Starred by 3 users
Status: Untriaged
Owner: ----
Cc:
ajha@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Feature



Sign in to add a comment

Symlinks are allowed in Developer Mode

Reported by homakov@gmail.com, Jun 11 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce the problem:
It's true that developer mode is considered dangerous, but these days many apps e.g. MyEtherWallet.com offer to sideload extensions as more trustless way to use the app.

What is the expected behavior?

What went wrong?
Dev mode also allows an extension to have symlinks. here is a demo reading /etc/passwd https://github.com/homakov/maliciousext

I believe it would be a good idea to warn the user that directory contains symlinks before loading the extension, (even though Dev mode is considered harmful already).

WebStore page: 

Did this work before? N/A 

Chrome version: 58.0.3029.110  Channel: n/a
OS Version: OS X 10.12.5
Flash Version:

Comment 1 by woxxom@gmail.com, Jun 11 2017 

Note that the problem is not limited to "developer mode" because this mode is not required for side-loading of extensions: the user can be instructed to simply drag'n'drop the extension directory onto chrome://extensions page. I've been using this feature a lot over the last 5+ years while developing and testing extensions. Also, a malware program can add --load-extension=/path/to/unpacked/extension command line switch to the Chrome shortcut/registry at least in Windows. 

P.S. There's nothing particularly "harmful" or "dangerous" in developer mode per se as it simply facilitates access to background pages and exposes a few functions either harmless or available elsewhere. As far as considerations go, even devtools console is considered "harmful" because non-savvy users may be manipulated into running js code that steals their personal data.

Comment 2 by nyerramilli@chromium.org, Jun 12 2017

Labels: Needs-Milestone

Comment 3 by homakov@gmail.com, Jun 12 2017 

Interesting, I never thought I could drag the folder w/o Dev mode and loading unpacked ext. Do you plan to fix or warn about symlinks which seem like the only way extensions can impact the host system?

Comment 4 by ajha@chromium.org, Jun 15 2017

Cc: ajha@chromium.org
Labels: -Type-Bug -Needs-Milestone M-61 OS-Linux OS-Windows Type-Feature
Status: Untriaged (was: Unconfirmed)
Marking this as Untriaged and as Feature request, for consideration of warning about symlinks. Requesting the respective team for more inputs on this.

Sign in to add a comment