New issue
Advanced search Search tips

Issue 852371 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Jun 2018
Cc:
atwilson@chromium.org
kerrnel@chromium.org
devlin@chromium.org
Components:
EstimatedDays: ----
NextAction: 2018-06-14
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: It is possible to bypass an extension on the Chrome Web Store being blocked by an administrator

Reported by jo...@slackorama.com, Jun 13 2018 
VULNERABILITY DETAILS
It is possible to download an extension that an administrator has blocked by getting the extension’s .CRX, extracting it, and loading it manually.

VERSION
Chrome Version: 67.0.3396.87, stable
Operating System: ChromeOS, 67.0.3396.87

REPRODUCTION CASE
It is impossible for me to provide a file to recreate the results, but I will tell you how i did it. First, I downloaded the .CRX file of the extension I wanted to use. Then, I extracted the extension’s contents from the .CRX file. Finally, I loaded that as an unpacked extension in chrome://extensions.

Comment 1 Deleted

Comment 2 by wfh@chromium.org, Jun 13 2018

Cc: devlin@chromium.org kerrnel@chromium.org
Components: Platform>Extensions
Labels: OS-Chrome Pri-2
Thanks for your report.

This is certainly something that an administrator could block by using an extension whitelist instead of a blacklist.

I'm not sure if this is a security property that ChromeOS makes guarantees about, so adding some CrOS people.

Comment 3 by rdevlin....@chromium.org, Jun 13 2018

Cc: atwilson@chromium.org
If you want to prevent users from loading arbitrary extensions, you can either restrict the list of allowed extensions to only those within an allowlist, as wfh mentioned [1], or you can also disable developer tools (preventing users from loading unpacked extensions) [2].  I think either of those would solve the problem.

I don't see this as being a security issue.  I'll let kerrnel@ chime in, but I think we can probably close this out.

+atwilson@ as well in case he has thoughts.

[1] https://www.chromium.org/administrators/policy-list-3#ExtensionInstallWhitelist
[2] https://www.chromium.org/administrators/policy-list-3#DeveloperToolsDisabled

Comment 4 by jo...@slackorama.com, Jun 13 2018 

Good point. I didn’t consider that.

Comment 5 by wfh@chromium.org, Jun 13 2018

NextAction: 2018-06-14
yup, sounds like the enterprise policies have this one covered. I'll close this out tomorrow.

Comment 6 by monor...@bugs.chromium.org, Jun 14 2018 

The NextAction date has arrived: 2018-06-14

Comment 7 by atwilson@chromium.org, Jun 14 2018

Status: WontFix (was: Unconfirmed)
Agreed. Canonically, admins that care about what extensions their users use should just enforce a whitelist. There's literally nothing stopping an extension author from putting multiple clones of their extension on the chrome web store, so blocking developer tools + individual extension IDs is insufficient.
Project Member

Comment 8 by sheriffbot@chromium.org, Sep 20

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment