Security: Incognito mode on enterprise policy-restricted Chromebooks
Reported by
jeremyeb...@gmail.com,
Dec 15 2017
|
|||||
Issue descriptionVULNERABILITY DETAILS In a GoGuardian & policy restricted ChromeOS Chromebook, the incognito mode can still be accessed through a chrome://inspect exploit. Please note that this is inconsistent and will only work once per boot from testing. If chrome://oobe/lock doesn't show up originally, it will show up after waiting on the page. VERSION Chrome OS 64.0.3282.24, dev channel. This bug can be reproduced on most Chromebooks on the stable channel also. REPRODUCTION CASE Go to chrome://inspect/#other. Find chrome://oobe/lock Click on "inspect" and navigate to "application" on the top bar. Click on "read more about the web manifest" and you will be in incognito mode when incognito is restricted via policy on ChromeOS. If you open a new tab from this incognito window, the new window will not have any policy restrictions. This is a big issue for students who want to bypass policy restrictions to browse freely on a school-issued Chromebook.
,
Dec 15 2017
If you open chrome://extensions while in the oobe/lock incognito window, it opens a new window with no policy restrictions or extensions. If you open chrome://settings or settings, it soft-bricks the chromebook and restarts it. The chrome://oobe/lock still pops up in chrome://inspect after.
,
Dec 15 2017
Typically, I think we track these as functional issues rather than security issues. Issue 673190, Issue 461461
,
Dec 15 2017
I didn't know whether to place this as functionality or security. Either way, it's a pretty big issue for those with enterprise managed Chromebooks blocking incognito (schools).
,
Dec 16 2017
This is definitely something the enterprise team will want to fix. Thanks for the report!
,
Dec 18 2017
Sergey, please confirm that this hits a CHECK() now, then send to dev tools to fix.
,
Dec 18 2017
,
Dec 18 2017
1. Per https://crbug.com/776427#c23 chrome://oobe/lock won't be accessible from M64. 2. Trying to reproduce it on ToT (M65) I end up with opening a non-incognito window (tab) when clicking on 'Read more about the web manifest'. 3. Crash should happen on M65 if incognito is open when not allowed per https://crbug.com/789642#c15, but I can't reproduce any case of trying to open incognito from chrome://inspect. Probably, it was also fixed.
,
Dec 18 2017
I've noticed that this only works on Chromebooks that have a password glitch. (this glitch makes it so that when you're logging into your Chromebook, it won't register the password and will just not do anything or say the password is right/wrong if the password is right.) This may be a separate issue though. All Chromebooks that have this issue can get incognito through oobe/lock. Chromebooks that don't have this issue can't.
,
Dec 18 2017
Also, if a non-incognito tab opens from oobe/lock, it sometimes will have no policy restrictions |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by jeremyeb...@gmail.com
, Dec 15 201745.1 KB
45.1 KB View Download
126 KB
126 KB View Download
154 KB
154 KB View Download