I couldn't quite get this to reproduce on Linux (I don't have a Windows machine), it caused my editor to open, I strongly suspect that it is reproducible on Windows.

I'm unsure if double-clicking a downloaded file will cause the file to be executed on the other platforms.

dgozman@ do you think this issue should be fixed on the dev-tools side?

Not sure what we can do here apart from disallowing to debug chrome:// pages. Running under user gesture is essential to DevTools. We should fix underlying issues so one cannot script DevTools from extension at least.

I have suggested to ignore the userGesture flag when running in a privileged page.
If there is a use case for wanting to enable user gestures for DevTools on privileged pages, guard it by a default-off command-line flag, so that the average user is not at risk whenever a DevTools client is compromised.

What do you think of this?

dgozman: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+asanka as this is another bug that could potentially be mitigated by a fix to bug 595841.

+devlin for the extension angle. Is there anything we can do to tame chrome.debugger API?

Upon further inspection, this looks similar to  bug 666824 : Both use extensions + devtools + debugger + downloads to launch files on chrome://downloads, but there are some significant differences ( bug 666824  uses downloads.open whereas this one doesn't).

@#7 Can you cc me on bug 595841 ?

@#8 The chrome.debugger API does not necessarily have a vulnerability here. It is only used in my exploit to automatically open the DevTools window (using the feature from  bug 410958 ) in order to exploit the vulnerability in attached DevTools instance.

If you think that this feature needs to be constrained, I suggest to add a check to only accept the Page.setAutoAttachToCreatedPages command if the user has enabled the "Enable developer mode" option at chrome://extensions . In this way, developers still have the ability to automatically open the DevTools.

But even if the feature were to be locked, users who manually open the DevTools are still fully susceptible to the consequences of the reported vulnerability.

dgozman: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

dgozman: Any updates for this is a high severity bug?

This should only be Medium severity, but still needs to be fixed.

dgozman@: Are you able to do anything with this, or else pass it on to someone else who can?

We have a plan to address this, together with other chrome.debugger issues.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2aec794f26098c7a361c27d7c8f57119631cca8a

commit 2aec794f26098c7a361c27d7c8f57119631cca8a
Author: Dmitry Gozman <dgozman@chromium.org>
Date: Mon Mar 05 20:27:54 2018

[DevTools] Do not allow chrome.debugger to attach to web ui pages

If the page navigates to web ui, we force detach the debugger extension.

TBR=alexclarke@chromium.org

Bug:  798222 
Change-Id: Idb46c2f59e839388397a8dfa6ce2e2a897698df3
Reviewed-on: https://chromium-review.googlesource.com/935961
Commit-Queue: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#540916}
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/chrome/browser/extensions/api/debugger/debugger_api.cc
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/chrome/browser/extensions/api/debugger/debugger_api.h
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/chrome/browser/extensions/api/debugger/debugger_api_constants.cc
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/chrome/browser/extensions/api/debugger/debugger_api_constants.h
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/chrome/test/data/extensions/api_test/debugger/background.js
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/chrome/test/data/extensions/api_test/debugger_extension/background.js
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/browser_devtools_agent_host.cc
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/browser_devtools_agent_host.h
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/devtools_agent_host_impl.cc
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/devtools_agent_host_impl.h
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/devtools_session.cc
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/devtools_session.h
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/render_frame_devtools_agent_host.cc
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/render_frame_devtools_agent_host.h
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/service_worker_devtools_agent_host.cc
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/service_worker_devtools_agent_host.h
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/shared_worker_devtools_agent_host.cc
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/browser/devtools/shared_worker_devtools_agent_host.h
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/content/public/browser/devtools_agent_host.h
[modify] https://crrev.com/2aec794f26098c7a361c27d7c8f57119631cca8a/headless/public/util/testing/mock_devtools_agent_host.h

This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Seems like a fairly large change. awhalley@ any issues with taking this in M67 instead of 66?

Checking with awhalley, we should consider this merge. dgozman@: how safe is this merge overall? I'm a bit worried about the size of the change. 

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Thanks Rob! The VRP panel decided to reward $2,000 for this report.

Approving merge to M66. Branch:3359

checking with dgozman@, let's target this for M67. 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot