New issue
Advanced search Search tips

Issue 736595 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
caseq@chromium.org
dgozman@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 3
Type: Feature



Sign in to add a comment

Security: Potential malware can access chrome remote interface easily

Reported by mail.jul...@gmail.com, Jun 24 2017 
VULNERABILITY DETAILS
A potential malware can activate the chrome remote interface simply by changing the desktop icon and adding "--remote-debugging-port=9222" to the cmd. This opens the remote interface on port 9222. With this you can control the browser, read out page content, executing javascript. A user can not see if this interface is activated or not. There should be a notice when the remote interface is activated.

VERSION
Chrome Version: 59.0.3071.109
Operating System: tested on MacOSX 10.12.5 and Windows 8.1

REPRODUCTION CASE

How to use the remote interface: https://chromedevtools.github.io/devtools-protocol/

Comment 1 by dominickn@chromium.org, Jun 26 2017

Cc: caseq@chromium.org dgozman@chromium.org
Components: Platform>DevTools
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3 Type-Feature
Status: WontFix (was: Unconfirmed)
This requires an attacker to have physical access to a machine to change the shortcut. Adding the lines to the shortcut itself is also a nontrivial operation for most users that you must explicitly go out of your way to do. So that means this isn't a security issue (hence I'm lifting the security restrictions).

However, it may be worthwhile having Chrome display some sort of disclosure when remote debugging is enabled (or maybe it's not if people commonly use that mode to take screenshots etc.). +cc the devtools people for thoughts.

Comment 2 by mail.jul...@gmail.com, Jun 26 2017 

changing the desktop icon is a default behavior of adware to force a certain default page. Writing files on the desktop requires only low permissions. Because a user can not easily verify if this interface is activated, it is very easy for adware/malware to get password, other confidential information or adding adscripts to the page without installing an extension.

Sign in to add a comment