New issue
Advanced search Search tips

Issue 796184 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 795941
Owner: ----
Closed: Dec 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: ChromeOS gSuite Policy Bypass via OOBE

Reported by mfreyda...@rsu1.org, Dec 19 2017

Issue description

VERSION
Chrome Version:  64.0.3282.24 beta
Operating System: Chrome OS 64.0.3282.24 beta

REPRODUCTION CASE
Set the following policies in Google Admin
Policy Bypass - Device Management > Chrome > User Settings > Security > Incognito Mode > Disallow ingcognito mode 
Policy Bypass - Device Management > Chrome > User Settings > User Experience > Developer Tools > Never allow use of built-in developer tools


Restart the Chromebook.
Log in and open up Chrome.
Go to Chrome://inspect and choose the Other tab.
Click inspect under chrome://oobe/lock.  
Note: chrome://oobe/lock only appears once after reboot and sometimes takes time to appear.
This opens the Dev Tools window.
Click "Application" from the Dev Tools window.
Choose Manifest.
Click "Read more about the web manifest"
This force opens https://developers.google.com/web/fundamentals/web-app-manifest/?utm_source=decode in incognito mode.

If you close the incognito window it cannot be reopened by this process until the chromebook is restarted.

We're happy here at RSU1 to help you test a fix.
Credit to emma.boynton@rsu1.org for discovering the original flaw.
 

Comment 1 by cthomp@chromium.org, Dec 19 2017

Mergedinto: 795941
Status: Duplicate (was: Unconfirmed)
Project Member

Comment 2 by sheriffbot@chromium.org, Apr 3 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment