This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md

Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Installation of local provisioning packages onto Chrome OS devices, Windows devices, Apple Devices, and Android Devices enable malicious code to persist following OS reinstallation, allowing the provisioned and infected systems to be returned to local retail stores and sold to unsuspecting end-users, or sold on secondary markets to unsuspecting end-users. Future web traffic, downloads, and secure form information on these infected devices is then able to be passed through the provisioners' own proxy server, where this information would able to be captured and sold, or used for malicious purposes. This type of exploit has wide-reaching implications, and is capable of being deployed rapidly and systemically on a global scale.


VERSION
Chrome Version: Any + Any
Operating System: Chrome OS, Chromium, Microsoft Windows, iOS, Mac OS

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers,
exception record]
Client ID (if relevant): [see link above]