Issue metadata
Sign in to add a comment
|
Security regression: Safe Browsing malware and phishing protection broken on latest Chromium builds
Reported by
93m4qau...@gmail.com,
Mar 14 2018
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3371.0 Safari/537.36 Steps to reproduce the problem: 1. Go to chrome://settings/privacy and confirm that "Protect you and your device from dangerous sites" is enabled. 2. Open https://testsafebrowsing.appspot.com/s/malware.html. 3. Open https://testsafebrowsing.appspot.com/s/phishing.html. What is the expected behavior? Chrome displays a full red screen Safe Browsing warning. What went wrong? Unless you have an antivirus or other program that blocks the pages, they just load right up. Did this work before? Yes 67.0.3370.0 Chrome version: 67.0.3371.0 Channel: n/a OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Tested with all extensions disabled, browsing data cleared, and no external MITM'ing.
,
Mar 14 2018
Right, 67.0.3370.0 is the good build. Safe Browsing is broken (at least for me) on 67.0.3371.0 from download-chromium.appspot.com.
,
Mar 14 2018
I can't reproduce this either. Can you please confirm that you are using Google Chrome (not Chromium, even though this shouldn't happen on Chromium either)? Also, can you please post the contents of chrome://safe-browsing from this installation of Google Chrome? Thanks. Edit: Wait, you're saying that it was broken in "67.0.3371.0". Interesting!
,
Mar 14 2018
,
Mar 14 2018
I am using Chromium 67.0.3371.0. It works fine in Chrome 67.0.3370.0 canary. Contents of chrome://safe-browsing (in Chromium) will be in the next comment.
,
Mar 14 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 14 2018
Safe Browsing
The Safe Browsing page is under construction.
Experiments
Enabled: AppendRecentNavigationEvents
Disabled: S13nSafeBrowsingCheckByURLLoaderThrottle
Enabled: EnterprisePasswordProtectionV1
Enabled: SyncPasswordReuseEvent
Enabled: PasswordProtectionGoogleBrandedPhishingWarning
Disabled: InspectDownloadedRarFiles
Preferences
Enabled: safebrowsing.enabled
Enabled: safebrowsing.extended_reporting_opt_in_allowed
Disabled: safebrowsing.extended_reporting_enabled
Disabled: safebrowsing.scout_reporting_enabled
Database Manager
Last update network status code: 400
Last update time: 3/14/18, 2:28:58 PM
Database size in bytes: 0
SafeBrowsing.V4Database.Size.IpMalware: 0
Store update status: 12
Number of database checks: 0
SafeBrowsing.V4Database.Size.UrlUws: 0
Store update status: 12
Number of database checks: 0
SafeBrowsing.V4Database.Size.UrlSoceng: 0
Store update status: 12
Number of database checks: 0
SafeBrowsing.V4Database.Size.UrlMalware: 0
Store update status: 12
Number of database checks: 0
SafeBrowsing.V4Database.Size.UrlMalBin: 0
Store update status: 12
Number of database checks: 0
SafeBrowsing.V4Database.Size.ChromeExtMalware: 0
Store update status: 12
Number of database checks: 0
Full Hash Cache
[ {
"Number of cache hits": 0
} ]
Threat Details
,
Mar 14 2018
Thanks. Can you also post the contents of: chrome://histograms/SafeBrowsing.V4
,
Mar 14 2018
,
Mar 14 2018
,
Mar 14 2018
Stats accumulated since browser startup. Reload to refresh.
Histogram: SafeBrowsing.V4Database.Size recorded 3 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (3 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4Database.Size.ChromeExtMalware recorded 3 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (3 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4Database.Size.IpMalware recorded 3 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (3 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4Database.Size.UrlMalBin recorded 3 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (3 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4Database.Size.UrlMalware recorded 3 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (3 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4Database.Size.UrlSoceng recorded 3 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (3 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4Database.Size.UrlUws recorded 3 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (3 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4DatabaseOpen.Time recorded 3 samples, mean = 1.3 (flags = 0x41)
0 ------------------------------------------------------------------------O (2 = 66.7%)
1 ...
4 ------------------------------------O (1 = 33.3%) {66.7%}
5 ...
Histogram: SafeBrowsing.V4GetPrefixMatches.TimeUs recorded 1374 samples, mean = 4.6 (flags = 0x41)
0 ------------O (54 = 3.9%)
1 ------------O (51 = 3.7%) {3.9%}
2 -----------------O (73 = 5.3%) {7.6%}
3 -------------------------------------------------------O (239 = 17.4%) {13.0%}
4 ------------------------------------------------------------------------O (630 = 45.9%) {30.3%}
6 -----------------------O (203 = 14.8%) {76.2%}
8 -------O (92 = 6.7%) {91.0%}
11 -O (22 = 1.6%) {97.7%}
15 O (7 = 0.5%) {99.3%}
21 O (1 = 0.1%) {99.8%}
29 O (1 = 0.1%) {99.9%}
40 O (1 = 0.1%) {99.9%}
55 ...
Histogram: SafeBrowsing.V4StoreRead.Result recorded 18 samples, mean = 2.0 (flags = 0x41)
0 ...
2 ------------------------------------------------------------------------O (18 = 100.0%) {0.0%}
3 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.AnyIpMalware recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.ChromeFilenameClientIncident recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.Bloom recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.BloomPrefixSet recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.CsdWhitelist recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.Download recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.DownloadWhitelist recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.ExtensionBlacklist recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.IPBlacklist recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.InclusionWhitelist recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.ModuleWhitelist recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.ResourceBlacklist recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.Side-EffectFreeWhitelist recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.UwSList recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4UnusedStoreFileExists.V3.UwSListPrefixSet recorded 1 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (1 = 100.0%)
1 ...
Histogram: SafeBrowsing.V4Update.Network.Result recorded 5 samples (flags = 0x41)
400 ------------------------------------------------------------------------O (5 = 100.0%)
Histogram: SafeBrowsing.V4Update.Result recorded 5 samples, mean = 3.0 (flags = 0x41)
0 ...
3 ------------------------------------------------------------------------O (5 = 100.0%) {0.0%}
4 ...
Histogram: SafeBrowsing.V4Update.TimedOut recorded 5 samples, mean = 0.0 (flags = 0x41)
0 ------------------------------------------------------------------------O (5 = 100.0%)
1 ...
,
Mar 14 2018
Suspecting commit 6a66c00f54b619ecc7a3f8f56e3a06f04dfc4e1e as culprit.
,
Mar 14 2018
Wait a minute...that shipped already in the latest canary (67.0.3370.0) and the issue isn't reproducing there. I couldn't find anything else for "safebrowsing" or "Safe Browsing" though - I'm just not good at bisects I suppose.
,
Mar 14 2018
Thanks. commit 6a66c00f54b619ecc7a3f8f56e3a06f04dfc4e1e can't be it because that's affecting Chrome on Android specifically but this report is for Chromium on Windows.
,
Mar 14 2018
I see now. I was (am) too stupid to notice that from the very beginning.
,
Mar 14 2018
I suspect it is chromium builds that are broken. In case you have access to the Chromium build for 67.0.3370.0, can you please post the contents of chrome://safe-browsing and chrome://histograms/SafeBrowsing.V4 from there?
,
Mar 14 2018
Unfortunately, I don't have a Chromium build for 67.0.3370.0 anymore. Are you able to reproduce this on your end on Chromium 67.0.3371.0?
,
Mar 14 2018
> Are you able to reproduce this on your end on Chromium 67.0.3371.0? Yes.
,
Mar 14 2018
I just realized that the Chromium builds say "Google API keys are missing. Some functionality of Chromium will be disabled." upon launch, and that Google Safe Browsing API may be affected. In that case, "Protect you and your device from dangerous sites" should be displayed as off and grayed-out in settings (with an explanation of why), rather than deceptively showing as enabled.
,
Mar 14 2018
Chromium does have Safe Browsing protection, including checking for Malware and Phishing URLs. The official Google Chrome build provides some additional protection, but the difference is small.
,
Mar 14 2018
Re #c20: I take that back. Chromium builds do not have Safe Browsing protection but clients based-off Chromium can enable Safe Browsing protection by using a valid API key. We do not ship a valid API key with Chromium and that's causing this bug. Marking this as WontFix. Your suggestion that Safe Browsing should be grayed out is reasonable. I'm going to log a non-security bug for that.
,
Mar 14 2018
,
Mar 14 2018
,
Jun 21 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by est...@chromium.org
, Mar 14 2018Components: Services>Safebrowsing