New issue
Advanced search Search tips

Issue 879921 link

Starred by 1 user
Status: WontFix
Owner:
jorgelo@chromium.org
Closed: Sep 4
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Chrome OS registered account two-Factor Authentication bypass

Reported by danielfr...@gmail.com, Sep 2 
VULNERABILITY DETAILS
It is possible to bypass registered chrome OS accounts that require two factor authentication by turning off WiFi

VERSION

Google Chrome	68.0.3440.118 (Official Build) (64-bit)
Revision	a7ca4397b06108b300bc00c52932eaeae010e662-refs/branch-heads/3440@{#808}
Platform	10718.88.2 (Official Build) stable-channel falco
Firmware Version	Google_Falco.4389.92.0

REPRODUCTION CASE

If the setting: Settings > People > Manage Other people > Show usernames and photos on the sign-in screen is turned off then with WiFi (e.g internet access) when chromebook starts up, it goes straight to the Chrome OS "sign in to your Chromebook page". The registered chromebook user is required to enter their username and password then they are asked for 2-factor authentication (if the google account has 2FA enabled). 

The issues is: if WiFi is off then there is a link: "if you've already registered on this device, you can sign in as an existing user." (on the "Netowork not available" page) which if the user selects they can then login to their chromebook with their registered account user name and password without the 2FA. This would allow an attacker with a user's username/password and physical access to the user's chromebook to access the device without needing 2FA.

Comment 1 by tsepez@chromium.org, Sep 4

Components: UI>Shell>StartScreen
Labels: Security_Severity-Low Security_Impact-Stable M-71 OS-Chrome Pri-2
Owner: jorgelo@chromium.org
Status: Assigned (was: Unconfirmed)
I believe that this is working as intended -- the "physical access to the user's chromebook" is a big "if" -- exactly analogous to the way that an attacker with physical access to the user's 2FA token isn't impeded by 2FA.

Nonetheless, passing the report onto chromeos in case they wish to elaborate.

Comment 2 by jorgelo@chromium.org, Sep 4 

Yeah, unfortunately I don't know that we can prevent users from logging in when the device is offline.

Comment 3 by jorgelo@chromium.org, Sep 4

Status: WontFix (was: Assigned)
I.e. we cannot turn an offline device into a brick.

2FA and security keys defend a mostly remote/phishing threat model, not against a local attacker. By definition, something that you *own* (like a security key) can be stolen or removed from you by force, so it's not fully reasonable to expect a security key to protect against a local attacker that has access to your device and to you.

Protection against local attackers is based on a factor that you *know*, aka, your password.

Thanks for the report.

Comment 4 by danielfr...@gmail.com, Sep 4 

Thank you for the feedback.
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 12

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment