Issue metadata
Sign in to add a comment
|
Cookies can be read by a malicious app in a rooted device even though device encryption is turned on
Reported by
arunp1...@gmail.com,
Jan 10 2018
|
||||||||||||||||||||
Issue descriptionSteps to reproduce the problem: 1. End user has inadvertently installed a malicious app on a rooted device and gave it root access. Device encryption is turned on. 2. User accesses a banking application in Chrome mobile browser on a rooted device. 3. The malicious app (which has root access) reads the cookies stored in db by Chrome leading to session hijacking. What is the expected behavior? Cookies stored in database MUST be encrypted as is done in other platforms as part of https://bugs.chromium.org/p/chromium/issues/detail?id=313323. Comment no. 15 (https://bugs.chromium.org/p/chromium/issues/detail?id=313323#c15 ) states: "droger, iOS and Android don't need it because their storage is protected by the OS." But, the above attack scenario (mentioned in steps to reproduce) is not handled. What went wrong? Session hijacking is possible Did this work before? No Chrome version: 63.0.3239.132 Channel: stable OS Version: 10.0 Flash Version: I am filing this bug as a customer has done security review and reported this to us. Since, it is a common issue in Chromium, I thought it should be implemented in Chromium itself. If you think otherwise, please provide justification so that I can communicate the same to my customer.
,
Jan 10 2018
Compromised (aka 'rooted') devices are outside of the browser's threat model: https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-compromised_infected-machines-in-Chromes-threat-model. Even if Chrome bothered to encrypt the cookie data, the application with root access could trivially steal the encryption key out of Chrome's memory. On other platforms (e.g. Windows, etc) stored Cookies are encrypted using a login-specific token, such that any malware running as the user is able to decrypt them as well.
,
Jan 11 2018
Thanks a lot for your prompt reply! I really appreciate it! I am curious to know the official view point of Chromium project on the below: Based on "Law #7: Encrypted data is only as secure as its decryption key", is there any plan to use Android's Hardware-backed Keystore (https://source.android.com/security/keystore/). What I understand is lot of effort is being put by Android team to make it really secure by adding more security features in every Android release (like Key Attestation, Version binding and ID Attestation).
,
Jan 12 2018
Hi, did you get chance to look at my question? To elaborate, since Android has support for hardware backed keystore, is Chrome considering encrypting cookies with a symmetric key stored in the hardware backed keystore? Your valuable input will help me to take an informed decision. Thanks!
,
Jan 15 2018
Hi, Could you please provide an update on my questions? Even if you need more time to discuss internally, please let me know. Your prompt response will help me to decide what should be done with the security bug filed by my customer.
,
Jan 16 2018
Hi, Could you provide any update please? Based on your valuable update, I can discuss the same with my team's Corporate Security Response team and subsequently convey the same to my customer.
,
Apr 19 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by arunp1...@gmail.com
, Jan 10 2018