Security: No Security Warnings Displayed when Extension is installed on sync'd browsers
Reported by
roble...@gmail.com,
Sep 13
|
|||
Issue descriptionVULNERABILITY DETAILS When a browser extension is loaded via the sync process, it does not provide any indication to the user that it is being installed and activated, other than its icon appearing next to the omnibox. Similarly, it does not present the user on the sync'd browser with the same security warnings that are presented on the source browser. Consequently a rogue extension installed, either accidentally or maliciously, on one PC could be used to compromise all browsers that are logged in as the same user, without the user's knowledge. VERSION Chrome Version: [69.0.3497.92] + [stable] Operating System: [Tested on Windows 7 and 10, but probably affects all] REPRODUCTION CASE On PC A sign in to Chrome. On PC B sign in to Chrome as the same user. Leave the default settings to Sync Everything. Install Extension on PC A. User on PC A gets a security warning as to the permissions the extension needs. Extension is sync'd to PC B automatically. No warnings are displayed on PC B. Admittedly this could be thought of as a physically-local attack, but consider a common scenario of PC A being a shared home PC and PC B being a corporate PC, behind a firewall, the implications could be serious.
,
Sep 17
Yep, once you approve an extension's permissions, we consider them approved on all devices where you sync. If we didn't do it like that, then every time you sign in on a new device, you'd get a warning for every extension you installed, even though you previously approved it.
,
Sep 17
I'd argue that people should have a warning for every extension installed when they sign in to a new device, or at least be given the option to get a warning. Shared PCs are very common, particularly in the home environment, and people tend not to sign out of Chrome.
,
Sep 17
As other folks have pointed out, this is currently WAI. If you want to opt out of having extensions automatically sync'd across devices, you can disable sync (optionally just for extensions, if you want to keep syncing history, etc). We have been investigating whether we can make this better by incorporating more sophisticated checks (e.g., warnings for when you sync from a suspicious device that we don't know is you, etc), but to add warnings eacb time a new extension is added greatly reduces the utility of extensions sync. Marking this as available, since we would like to do something here in the future, but it's not on our immediate roadmap. |
|||
►
Sign in to add a comment |
|||
Comment 1 by rsesek@chromium.org
, Sep 13Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Chrome OS-Linux OS-Mac OS-Windows Pri-2 Type-Bug