Issue metadata
Sign in to add a comment
|
Security: CrOs Wifi Password retained across guest sessions
Reported by
jjverder...@gmail.com,
Mar 8 2018
|
||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com /chromium/src/+/master/docs/security/faq.md Please see the following link for instructions on filing security bugs: https://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS On the ASUS C100P: 1. Factory Reset the device (while holding escape and reload buttons press and release power button) 2. Sign in as guest user 3. connect to wifi (do not select option to retain password if there is an option available) 4. sign out of guest session 5. sign into device using guest account 6. reconnect to the same wifi network as before WITHOUT re-entering password VERSION Chrome Version: Google Chrome 64.0.3282.167 (Official Build) (32-bit) Operating System: CrOs (Chromium OOTB) -- Google_Veyron_Minnie.6588.237.0 REPRODUCTION CASE follow steps 1-6 above -label:Security_Severity
,
Mar 8 2018
The persistence of network settings has raised questions in the past, but I believe thats works as intended?
,
Mar 11 2018
I do not see how you could possibly consider a system "secure" if any information entered into a guest session is persisted into a subsequent guest session.
,
Mar 12 2018
stevenjb@, what's the intended behavior here?
,
Mar 12 2018
This is WAI. Configuring a network in a Guest session behaves the same as configuring a network in the login screen - the network is shared with all users of the device. This is the same as when a logged in user checks 'Allow other users of this device to use this network' when configuring a network. We check and disable this option logged in as Guest to make the behavior clear. If a user really wants to configure a wifi network just for a guest session the can use the UI to forget the network before logging out. (In the past this behavior was necessary to expose some of the configuration UI (e.g. nameservers). That UI is now available during login, but it seems that forgetting networks configured as Guest would be more confusing than remembering them.
,
Mar 14 2018
"This is the same as when a logged in user checks 'Allow other users of this device to use this network' when configuring a network." -- this is NOT the same as the checkbox is disabled. Allowing credentials to be shared across user accounts DOES pose a security risk.
,
Mar 14 2018
The behavior is explicit and the user is clearly informed. The checkbox is disabled because there is no user profile so any network configuration is saved to the device profile. The guest user can opt to not connect to the private network, or can explicitly forget the shared network in Settings.
,
Jun 19 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Mar 8 2018