New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 787014 link

Starred by 2 users
Status: WontFix
Owner:
atwilson@chromium.org
Closed: Nov 2017
Cc:
pelets...@chromium.org
jorgelo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: ----
Type: Bug



Sign in to add a comment

Can manage device with student email

Reported by tolen...@gmail.com, Nov 20 2017 
VULNERABILITY DETAILS
I can very easily get into my school Chromebooks with my student email and allow administrative access to all student emails, to allow students full control to the Chromebooks, including me.

VERSION
Chrome Version: 62.0.3202.97 + Stable
Operating System: Chrome OS, 62.0.3202.97, Unknown

REPRODUCTION CASE
It is on chrome OS. You enter developer mode (Press, Esc + Refresh, then when the Chromebook turns off, hold the keys again, except this time with the power button as well.) Then, press Ctrl + D, press space to disable verification. Wait for it to turn back on, past the explanation point. Then it said, (I don't quite remember, what it said, but it was somewhere close to this.) "Executive Function" With a email sign in, the admin email was at the end, but I entered my student account, I entered my password, then it took me through a Chromebook setup, like it would if it started up for the first time. Once it finished, it said, "Managed by (My student email rather than the staff and facility email.) I signed in with my student email, and it worked, I then had full control over the Chromebook.
 
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers,
exception record]
Client ID (if relevant): [see link above]

Comment 1 by mmoroz@chromium.org, Nov 20 2017

Labels: Security_Impact-Stable OS-Chrome
Owner: jorgelo@chromium.org
Status: Available (was: Unconfirmed)
Jorge, would you mind taking a look at helping to triage this if needed?

Comment 2 by jorgelo@chromium.org, Nov 20 2017

Cc: jorgelo@chromium.org
Components: Enterprise>Enrollment
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Stable Type-Bug
Owner: ----
Summary: Can manage device with student email (was: Security: Chromebook Access)
We don't triage enrollment/admin bypasses as security bugs, over to the enterprise team for triage.

Comment 3 by pelets...@chromium.org, Nov 21 2017

Cc: pelets...@chromium.org
Labels: Enterprise-Triaged
Owner: dskaram@chromium.org
It seems that we are dealing with the issue that every e-mail in domain can enroll the device. Here a student email works for enrolling. If this is the case, then WAI (unless we want to change this behavior).
"I then had full control over the Chromebook" - do you mean that one can login into admin panel with student email?

Comment 4 by dskaram@google.com, Nov 21 2017

Owner: atwilson@chromium.org
Over to Drew who can much better triage FRE bugs.

Comment 5 by atwilson@chromium.org, Nov 24 2017

Status: WontFix (was: Available)
I don't see this as a bug - as described, it sounds like a device without block-dev-mode or FRE enabled.

Maybe take a video with your phone and show what happens from right before when you hit Ctrl-D to enter dev mode?

Marking WontFix for now pending more evidence/repro steps.

Sign in to add a comment