Thanks for the bug report. Possibly a duplicate of  issue 827073 .

Can you please help me understand what's the threat model here? How can an adversary realistically exploit this? Since it requires the user to follow a very specific set of steps, including killing the app which isn't an obvious thing to do, it does not seem easily exploitable. On top of that, it requires the user to have installed another malicious app that's listening to files in /tmp.

Given that, I'd consider this Security_Severity-Low at best.

palmer@ -- based on your comments on the linked issue, you might disagree with my assessment so feel free to change it.

Hi, Instead of Force close, this could be paired up with a script that can Crash the browser as well.

vulnerabilities with apps which are in the same  "App Groups" can allow access to this file for exfiltration.This could be other Google apps in iOS that belong to the same "App Group".

The exported files are passwords which are of utmost importance and is stored in the iOS keychain ( i think), having them on the disk, in the /tmp folder makes it much easier for an adversary and is not the right thing to do as per iOS app sec guidelines.

Developers did understand the importance of deleting this file after exporting it and it works as intended in the normal interactions. This is an edge case that must have been overlooked. 

This can be fixed by looking for such a file at Application startup and removing it or not having the file written to disk at all 

A fix that removes the files at Chrome startup is in for M67.

Yes, this does seem like a duplicate of  Issue 827073  to me. ioanap, do you agree? If so, please go ahead and mark this as a duplicate, and CC this bug's reporter on that bug.

Also, can you point us to the CL that landed for 67? Thanks!

The CL that introduced file deletion at startup is: https://chromium-review.googlesource.com/c/chromium/src/+/974181. 

This is indeed a duplicate of  Issue 827073 . I will not be merging the bugs, since the original had a different type of restricted view.

Duplicate of:  Issue 827073 

Re #6: From a security perspective, it is OK (actually, best) to mark that one Restrict-View-SecurityTeam, duplicate this one into it, and then let it become public as usual after the fix has been available for 14 weeks. (A bot does this automatically.)

Thank you for the advice!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot