New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 883656 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
rdevlin....@chromium.org
jawag@chromium.org
mastiz@chromium.org
tschumann@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Feature



Sign in to add a comment

Security: No Security Warnings Displayed when Extension is installed on sync'd browsers

Reported by roble...@gmail.com, Sep 13 
VULNERABILITY DETAILS
When a browser extension is loaded via the sync process, it does not provide any indication to the user that it is being installed and activated, other than its icon appearing next to the omnibox.  Similarly, it does not present the user on the sync'd browser with the same security warnings that are presented on the source browser.  Consequently a rogue extension installed, either accidentally or maliciously, on one PC could be used to compromise all browsers that are logged in as the same user, without the user's knowledge.

VERSION
Chrome Version: [69.0.3497.92] + [stable]
Operating System: [Tested on Windows 7 and 10, but probably affects all]

REPRODUCTION CASE

On PC A sign in to Chrome.
On PC B sign in to Chrome as the same user.
Leave the default settings to Sync Everything.
Install Extension on PC A.
User on PC A gets a security warning as to the permissions the extension needs.
Extension is sync'd to PC B automatically.
No warnings are displayed on PC B.


Admittedly this could be thought of as a physically-local attack, but consider a common scenario of PC A being a shared home PC and PC B being a corporate PC, behind a firewall, the implications could be serious.

Comment 1 by rsesek@chromium.org, Sep 13

Components: Platform>Extensions Services>Sync
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Chrome OS-Linux OS-Mac OS-Windows Pri-2 Type-Bug
This is currently working as designed, so I'm going to move it out of the security queue. We do see sync being used as an attack vector, so I would like to see changes made here, but that's a product decision that would need to be made.

Comment 2 by treib@chromium.org, Sep 17

Cc: rdevlin....@chromium.org
Labels: -Type-Bug Sync-Triaged Type-Feature
Status: Untriaged (was: Unconfirmed)
Yep, once you approve an extension's permissions, we consider them approved on all devices where you sync. If we didn't do it like that, then every time you sign in on a new device, you'd get a warning for every extension you installed, even though you previously approved it.

Comment 3 by roble...@gmail.com, Sep 17 

I'd argue that people should have a warning for every extension installed when they sign in to a new device, or at least be given the option to get a warning.

Shared PCs are very common, particularly in the home environment, and people tend not to sign out of Chrome.

Comment 4 by rdevlin....@chromium.org, Sep 17

Cc: jawag@chromium.org
Status: Available (was: Untriaged)
As other folks have pointed out, this is currently WAI.  If you want to opt out of having extensions automatically sync'd across devices, you can disable sync (optionally just for extensions, if you want to keep syncing history, etc).

We have been investigating whether we can make this better by incorporating more sophisticated checks (e.g., warnings for when you sync from a suspicious device that we don't know is you, etc), but to add warnings eacb time a new extension is added greatly reduces the utility of extensions sync.

Marking this as available, since we would like to do something here in the future, but it's not on our immediate roadmap.

Sign in to add a comment