Issue 854951 link

Starred by 1 user

Issue metadata

Status:	Unconfirmed
Owner:	----
Cc:	susan.boorgula@chromium.org
Components:	Platform>Extensions
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	2
Type:	Bug
Via-Wizard-Extensions Needs-Milestone Triaged-ET

Extensions InstallVerifier doesn't process invalid extension response from the server

Reported by ivafa...@gmail.com, Jun 21 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 YaBrowser/18.3.1.349 Yowser/2.5 Safari/537.36

Steps to reproduce the problem:
1. |InstallVerifier| performs request to a web server to check against invalid id.
2. web server makes response:
"""
{
  "protocol_version": 1,
  "invalid_ids": [<ext_id>]
}
"""
3. |InstallSigner| can not find a "signature" field in the response, so it threats response as invalid.

What is the expected behavior?
Either |InstallSigner| is able to parse responses without valid ids either web server produces responses with signature and expire date.

What went wrong?
Malware extension is not recognized.

WebStore page: 

Did this work before? No 

Chrome version: 64.0.3282.140  Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 30.0 r0

Comment 1 by ivafa...@gmail.com, Jun 21 2018

@asargent, could you please have a look on a ticket as a code author?

Comment 2 by viswa.karala@chromium.org, Jun 25 2018

Labels: Needs-Milestone

Comment 3 by susan.boorgula@chromium.org, Jun 26 2018

Cc: susan.boorgula@chromium.org
Labels: Needs-Feedback Triaged-ET

ivafanas@ Thanks for the issue.

Request you to provide a sample extension where this issue can be reproduced which will help us in further triaging of the issue.

Thanks..

Comment 4 by ivafa...@gmail.com, Jun 27 2018

Hi Susan.

You may check any extension which id is not in chrome web store.

It is not critical to have an extension example, signing server deals with ids only. For example: mfakcejlogndbogfkbgenkbhdgofikgl

Chrome signing server receives POST requests in the following format:

  // The request protocol is JSON of the form:
  // {
  //   "protocol_version": "1",
  //   "hash": "<base64-encoded hash value here>",
  //   "ids": [ "<id1>", "id2" ]
  // }

It can be found here:
https://cs.chromium.org/chromium/src/chrome/browser/extensions/install_signer.cc?dr&l=380

So, a request of kind:
{
  "protocol_version": "1",
  "hash": "<base64-encoded hash value here>",
  "ids": [ "mfakcejlogndbogfkbgenkbhdgofikgl" ]
}

leads to a response without signature field which is not parsed by chrome code here:
https://cs.chromium.org/chromium/src/chrome/browser/extensions/install_signer.cc?dr&l=473

Project Member

Comment 5 by sheriffbot@chromium.org, Jun 27 2018

Labels: -Needs-Feedback

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 854951 link

Issue metadata

Extensions InstallVerifier doesn't process invalid extension response from the server

Issue description

Comment 1 by ivafa...@gmail.com, Jun 21 2018

Comment 1 Deleted

Comment 2 by viswa.karala@chromium.org, Jun 25 2018

Comment 2 Deleted

Comment 3 by susan.boorgula@chromium.org, Jun 26 2018

Comment 3 Deleted

Comment 4 by ivafa...@gmail.com, Jun 27 2018

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, Jun 27 2018

Comment 5 Deleted

Sign in to add a comment