Issue metadata
Sign in to add a comment
|
Pixelbook embedded U2F Tokens Should be Locked to a Single Account and NOT be permitted in Guest Mode
Reported by
keithiok...@gmail.com,
Jun 12 2018
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; CrOS x86_64 10718.13.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.15 Safari/537.36 Platform: 10718.13.0 (Official Build) dev-channel eve Steps to reproduce the problem: 1. Open a Chrome OS Shell (crosh) and run "u2f_flags g2f" to enable g2f 2. Setup a website to use the Pixelbook's embedded U2F Token. 3. Allow "Guest Mode" on ChromeOS and allow the use of other accounts - I do disable this on my devices but it is enabled by default 4) Log out of your Primary User Account and log in under the "Guest" account 5) Authenticate to the same web service under the Chrome browser in Guest Mode and when prompted to insert your U2F device, simply tap the power button. What is the expected behavior? Guest Mode should not allow the use of the built in U2F token, furthermore, unless there is a way to assign a unique token to each user on the Pixelbook, it should only be locked down to the primary user by default. What went wrong? Any user, including the guest account can use the built in U2F token which potentially eliminates most of the benefits of 2 Factor Authentication. Of course many potential attack vectors can be mitigated once you disable Guest Mode and restrict the Pixelbook to one user. Sadly a factory reset can undo these mitigation if an attacker were to gain physical access to the Pixelbook. Did this work before? N/A Chrome version: 68.0.3440.15 Channel: dev OS Version: 10718.13.0 Flash Version: 30.0.0.113 If a user were to use strong passwords, they are still reasonably secure but the current implementation of U2F tokens on the Pixelbook has a few problems. The worse case scenario is if a user enables "Pin Based" authentication or uses a weak password that can be guessed by an attacker and stores passwords in Chrome's Autofill - They could walk away with the Pixelbook and have access to everything.
,
Jun 13 2018
Here's a CL that implements #1: https://chromium.googlesource.com/chromiumos/docs/+/master/security_review_howto.md Unless someone is willing to take ownership and do something more sophisticated, I'm going to get this in and merged back to avoid potential damage to users.
,
Jun 13 2018
Ah, sorry, here's the correct link to the CL: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1099059
,
Jun 13 2018
> Any user, including the guest account can use the built in U2F token which > potentially eliminates most of the benefits of 2 Factor Authentication. Which is no different than plugging a Yubikey 4C nano for example ... https://www.yubico.com/product/yubikey-4-series/#yubikey-4c-nano > merged back to avoid potential damage to users. ...
,
Jun 13 2018
> 1. Make crosh print a warning message that U2F is not ready for general use > 2. Put it behind a feature flag so chrome://experiments sets the right expectations when the user enables I don't think anything requiring some typing in crosh is for general use either, this is all debug commands. Is this a new expectation ?
,
Jun 13 2018
> > Any user, including the guest account can use the built in U2F token which > > potentially eliminates most of the benefits of 2 Factor Authentication. > > Which is no different than plugging a Yubikey 4C nano for example ... > https://www.yubico.com/product/yubikey-4-series/#yubikey-4c-nano Except that the Yubikey behaves as expected by the user, whereas this bug report is proof that user expectations are different for the built-in U2F implementation.
,
Jun 13 2018
I don't think the comparison with a key that can be removed is fair. If you're giving your laptop to someone else for an extended period of time, you can remove the Nano, but you cannot remove the built-in one. So there is a meaningful difference here that we've so far chosen to ignore, and hopefully we can improve going forward, and before this becomes widely available.
,
Jun 13 2018
> I don't think anything requiring some typing in crosh is for general use either, this is all debug commands. > Is this a new expectation ? Docs are popping up on the internet instructing people to type stuff into crosh: https://www.xda-developers.com/google-pixelbook-u2f-token-built-in/ We don't make any guarantees if you go and mess with crosh, but we also don't really state potential implications. Hence I think a word of warning is warranted.
,
Jun 13 2018
,
Jun 13 2018
> Except that the Yubikey behaves as expected by the user, > this bug report is proof that user expectations are different for the built-in U2F implementation. this might be true but totally unproven since there is 0 user on this bug, only developers from chromium-os-dev@chromium.org group.
,
Jun 13 2018
+1 to adding a warning in crosh until this is production-ready.
,
Jun 13 2018
,
Jun 13 2018
Well, this bug is still restricted access as long as it is Type=Bug-Security, so by definition there won't be more external users following this. Note that the original reporter is unaffiliated with Google or Chrome OS AFAICT though. Anyhow, I'll hold back the code change for now and give it until tomorrow for more people to weigh in (I've also pinged a few folks on chat to solicit their input).
,
Jun 18 2018
No further input here and general support for the warning message, so I've sent https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1099059 to the CQ. Since this change doesn't change behavior, filing merge requests right away (few merges are less risky).
,
Jun 18 2018
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 18 2018
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 18 2018
Approved for 68 (this does not appear to require translation).
,
Jun 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/aeb16b7a802d4b077d83dcd62e822c5c6f3a2c61 commit aeb16b7a802d4b077d83dcd62e822c5c6f3a2c61 Author: Mattias Nissler <mnissler@chromium.org> Date: Tue Jun 19 04:14:22 2018 crosh: Add U2F disclaimer. The experimental U2F implementation is recently drawing more attention, and users are stumbling upon various restrictions (including some that have security implications) that we intend to resolve before public launch. Make users aware of this by showing a warning message with the u2_flags command. BUG= chromium:851955 TEST=Invoking u2f_flags in crosh generates a scary warning message. Change-Id: I74a7daabb51659b2e517462c0359a7858664345e Reviewed-on: https://chromium-review.googlesource.com/1099059 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/aeb16b7a802d4b077d83dcd62e822c5c6f3a2c61/crosh/crosh
,
Jun 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/bbcbe75eea2de658d6652779a710b1e8e7482909 commit bbcbe75eea2de658d6652779a710b1e8e7482909 Author: Mattias Nissler <mnissler@chromium.org> Date: Tue Jun 19 13:24:08 2018 crosh: Add U2F disclaimer. The experimental U2F implementation is recently drawing more attention, and users are stumbling upon various restrictions (including some that have security implications) that we intend to resolve before public launch. Make users aware of this by showing a warning message with the u2_flags command. BUG= chromium:851955 TEST=Invoking u2f_flags in crosh generates a scary warning message. Change-Id: I74a7daabb51659b2e517462c0359a7858664345e Reviewed-on: https://chromium-review.googlesource.com/1099059 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> (cherry picked from commit aeb16b7a802d4b077d83dcd62e822c5c6f3a2c61) Reviewed-on: https://chromium-review.googlesource.com/1106117 Reviewed-by: Mattias Nissler <mnissler@chromium.org> Trybot-Ready: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/bbcbe75eea2de658d6652779a710b1e8e7482909/crosh/crosh
,
Jun 19 2018
Confirming that no translation is necessary (crosh is all English regardless of language settings). Warning notice has landed on trunk and merged to 68 per https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1106117 kbleicher: Can we include this in an M67 stable refresh (assuming we're planning to do one)?
,
Jun 19 2018
,
Jun 19 2018
This CL appears to be limited to a help screen / warning? Has this been extensively tested and confirmed as safe for push?
,
Jun 20 2018
Ping given M67 timing
,
Jun 21 2018
Hey Kevin, this is indeed limited to a warning inside crosh. Should be a safe merge.
,
Jun 21 2018
Approving merge to M67 Chrome OS. Please merge soon given timelines.
,
Jun 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/3763843f52e7f2cbb8f91a56e49479d018dd05ca commit 3763843f52e7f2cbb8f91a56e49479d018dd05ca Author: Mattias Nissler <mnissler@chromium.org> Date: Thu Jun 21 14:57:10 2018 crosh: Add U2F disclaimer. The experimental U2F implementation is recently drawing more attention, and users are stumbling upon various restrictions (including some that have security implications) that we intend to resolve before public launch. Make users aware of this by showing a warning message with the u2_flags command. BUG= chromium:851955 TEST=Invoking u2f_flags in crosh generates a scary warning message. Change-Id: I74a7daabb51659b2e517462c0359a7858664345e Reviewed-on: https://chromium-review.googlesource.com/1099059 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> (cherry picked from commit aeb16b7a802d4b077d83dcd62e822c5c6f3a2c61) Reviewed-on: https://chromium-review.googlesource.com/1110058 Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/3763843f52e7f2cbb8f91a56e49479d018dd05ca/crosh/crosh
,
Jun 21 2018
Merged to 67, thanks!
,
Jun 25 2018
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 28 2018
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 27
,
Sep 25
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 12
,
Dec 3
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mnissler@chromium.org
, Jun 13 2018Labels: Security_Severity-High Security_Impact-None