New issue
Advanced search Search tips

Issue 871516 link

Starred by 1 user
Status: WontFix
Owner:
jdufault@chromium.org
Closed: Aug 7
Cc:
mnissler@chromium.org
r...@chromium.org
allenwebb@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Bypass daily password restriction with multiple accounts

Reported by rnhuis...@gmail.com, Aug 6 
VULNERABILITY DETAILS
When using quick switch with multiple Google accounts on a Chromebook, a user can escalate access bypassing the daily password requirements from a lesser secured account.

VERSION
Chrome Version: 67.0.3396.99 + stable
Operating System: Chrome OS 67.0.3396.99

REPRODUCTION CASE
1. Enable multiple accounts on the Chromebook

2. Enable pin based authentication on each account.

3. Enable quick switching between 2 accounts

4. After a day, password will be required, even with pin based authentication.

5. Enter password for 1 account.

6. After logging in, pin will work again.

7. Quick switching into the second account will work even when logging in with pin, without needing a password for the 2nd account.

Comment 1 by mmoroz@chromium.org, Aug 7

Labels: OS-Chrome
Owner: allenwebb@chromium.org
Status: Assigned (was: Unconfirmed)
Handing this over to the next ChromeOS security sheriff.

Comment 2 by allenwebb@chromium.org, Aug 7

Cc: jdufault@chromium.org

Comment 3 by allenwebb@chromium.org, Aug 7

Labels: Security_Severity-Low Security_Impact-Stable
Owner: jdufault@chromium.org
This may be intended behavior because quick switching between accounts is supposed to work for any set of accounts that are already signed in.

If I understand this correctly it is essentially raising the question:
Should multiple signed in accounts require separate sign-ins after some time has passed since the device has been used (when the lock screen or sign in screen is shown)?

Comment 4 by jdufault@chromium.org, Aug 7

Cc: -jdufault@chromium.org r...@chromium.org allenwebb@chromium.org
Status: WontFix (was: Assigned)
This is WAI. When you have multiple users logged in, whenever you unlock the device you unlock for every user that is currently signed in. The specific unlock mechanism is not considered.

PIN timeout only means that PIN cannot be used to authenticate.

If I recall correctly, there is a policy option to limit unlocking to only managed accounts when a managed account is signed in.

Comment 5 by allenwebb@chromium.org, Aug 13

Cc: mnissler@chromium.org

Comment 6 by rnhuis...@gmail.com, Aug 13 

Is there a reference to that polic? This is a concern for companies that allow users to use personal account, and a policy change would be fine to fix it.

Thanks,
Rafael

Comment 7 by rnhuis...@gmail.com, Aug 13 

Is there a reference to that polic? This is a concern for companies that allow users to use personal account, and a policy change would be fine to fix it.

Thanks,
Rafael

Comment 8 by jdufault@chromium.org, Aug 13 

The specific policy to control this is ChromeOsMultiProfileUserBehavior (https://www.chromium.org/administrators/policy-list-3)
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 14

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment