Issue metadata
Sign in to add a comment
|
Security: Bypass profile deletion in ephemeral mode
Reported by
sahilhas...@gmail.com,
Sep 30 2017
|
||||||||||||||||||||
Issue description
Chrome Version : 61.0.3163.100
Summary: Can bypass administrative settings and force Chrome to use your profile when in ephemeral mode.
What steps will reproduce the problem?
1. cd ~/.config/google-chrome (i.e. go into the google chrome folder within the user's .config file)
2. Remove the Local State file and Profile $i (or Default) directory. Note that this step is not entirely necessary, just most of the tests I have run have been done with removal of these two files. You can likely get the same results with some clever scripting that pulls out the session id number and creates a directory that has that same number (i.e. Profile 1)
3. Pass in your own Profile directory and Local State into google-chrome. For reference, I stored a copy of my profile and local state on an NFS mount and had a simple wrapper around my chrome launcher that copied these files into .config and replaced the previously stored information. I used a directory called Profile 2 and a Local State that corresponded with that. I got that profile by merely copying in a profile created during a previous instance of an ephemeral mode run, and its equivalent local state file.
4. Launch Chrome and hit restore tabs. All information is seemingly retained (I checked for extensions, themes and tabs/cookies. No apparent difference)
More drastically, you can actively create the google-chrome folder within .config and pass in your Local State and Profile before Chrome is ever launched. This will ensure that upon launch your profile is immediately loaded.
What is the expected result?
When a user signs in to Google Chrome with their corporate account a *new profile* is created for that session and stored on disk.
What happens instead?
Chrome is loaded up with the passed-in profile.
Possible Solution:
Probably can merely overwrite any existing profiles within the google-chrome folder upon startup (i.e. ignore any preexisting profiles).
Attack scenario:
Many possible scenarios come to mind, but in general this seems to be clear unintended behavior. A possible example:
If on a shared use public laptop/desktop, can have a background cron job (or the like) that steals a user's profile and then allows the next person to use the machine to access that user's cookies/stored information/etc. Or allow employees in enterprise settings to circumvent ephemeral profile restrictions, etc.
Please provide any additional information below.
N/A. Feel free to contact at any time for follow-ups.
System Configuration:
Likely irrelevant, but just in case:
lsb_release -a:
Distributor ID: Debian
Description: Debian GNU/Linux 9.1 (stretch)
Release: 9.1
Codename: stretch
,
Oct 1 2017
https://support.google.com/chrome/a/answer/3538894?hl=en That is what I am referring to when it comes to ephemeral mode. As for your other points, I would argue that if an admin sets a policy forcing ephemeral mode, and any user can bypass that setting and retain a consistent profile (by using the methodology described above), that does not construe a comprised computer but rather an error in policy. I guess the fundamental question I'm asking is, does a regular user being able to bypass sys-admin set policy construe an attack outside of Chrome's threat model? Alternatively, could this possibly be an issue in terms of categorization rather than "not a bug"? I.E should this be a privacy issue, etc not a security one?
,
Oct 2 2017
Local attack is not in the security threat model. You can do many other things if you have access to change stuff in the user profile directory. Also, users in a shared setting won't use the same profile directory.
,
Jan 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 1 2017