My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 343921: Add more security-relevant flags to the bad flags infobar
4 people starred this issue and may be notified of changes. Back to list
 
Reported by phistuck, Feb 14, 2014
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36

Steps to reproduce the problem:
1. Create a phishing page that looks like the Google Account login page and steals the entered credentials.
2. Specify --gaia-url=the-url-to-the-page when starting Chrome.

What is the expected behavior?
Some overlay that reads something like -
"Beware - testing only, enter credentials only if you know why you see this message".

What went wrong?
My credentials have just been stolen.

Did this work before? N/A 

Chrome version: 32.0.1700.107  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 12.0 r0

While it is a low risk and there are a lot of ways someone can do harm when they have any access to the computer (enough to add a command line flag), I think it is a pretty easy way to steal important credentials.
Feb 14, 2014
#1 phistuck
Same goes for --ignore-certificate-errors.
Feb 14, 2014
#2 phistuck
And --disable-web-security.
Feb 14, 2014
#3 phistuck
Maybe also --sync-allow-insecure-xmpp-connection.
Feb 14, 2014
#4 phistuck
And --sync-url.
Feb 14, 2014
#5 phistuck
And maybe -
--translate-script-url
--translate-security-origin
--trusted-spdy-proxy
--wallet-secure-service-url
Feb 14, 2014
#6 jln@chromium.org
There are indeed a lot of flags that would reduce or annihilate Chrome's security. These flags should not be used by non developers.

Some flags such as --no-sandbox display an overlay like the one you mention, but most flags are not labeled in this way.

I'm routing to security-UX in case it's something they would want to look into, but my guess is that we would continue the current approach: label dangerous flags only if there is some evidence that regular users a misusing them (such as --no-sandbox).
Status: Available
Cc: f...@chromium.org
Labels: Security_Impact-None Security_Severity-None Cr-Security-UX
Feb 14, 2014
#7 f...@chromium.org
I don't think these flags are within our threat model.

If you can add a command line flag to a user's default Chrome install, you can also install a malicious extension or a keylogger. If someone is adding a flag to their own Chrome, they probably have some idea of what it does.

WIth that being said, I wouldn't be *opposed* to someone else going and adding a non-dismissible red infobar for scary flags.
Feb 14, 2014
#8 jschuh@chromium.org
We already have a dismissible yellow infobar. :) If a good samaritan wants to compile a list of bad flags it's very easy to add them here:

https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/ui/startup/bad_flags_prompt.cc&l=29&q=KBadFlags&sq=package:chromium

I leave the scariness of the infobar up to anyone else, but I will fix the flags on this to properly make it a security feature bug.

Labels: -Restrict-View-SecurityTeam -Type-Bug-Security -Security_Impact-None -Security_Severity-None Cr-Security Type-Bug
Feb 15, 2014
#9 phistuck
Can you at least add the ones this issue mentions?
Feb 24, 2014
#10 f...@chromium.org
(No comment was entered for this change.)
Owner: f...@chromium.org
Cc: -f...@chromium.org
Feb 24, 2014
#11 f...@chromium.org
I added a bunch in https://codereview.chromium.org/178803004 (from here + some other grepping). Focus is on ones that really could be abused. Taking suggestions for more, if anyone has any.
Feb 24, 2014
#12 f...@chromium.org
(No comment was entered for this change.)
Status: Started
Feb 28, 2014
#13 f...@chromium.org
(No comment was entered for this change.)
Summary: Add more security-relevant flags to the bad flags infobar (was: --gaia-url endangers Google account credentials)
Mar 6, 2014
#14 bugdro...@chromium.org
------------------------------------------------------------------------
r255314 | felt@chromium.org | 2014-03-06T11:40:04.391287Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/startup/bad_flags_prompt.cc?r1=255314&r2=255313&pathrev=255314

Apply the bad flags infobar to some more security-relevant flags

BUG=343921

Review URL: https://codereview.chromium.org/178803004
------------------------------------------------------------------------
Mar 6, 2014
#15 f...@chromium.org
(No comment was entered for this change.)
Status: Fixed
Mar 11, 2014
#16 srsrid...@chromium.org
Tested the issue on Windows 8 OS - canary 35.0.1883.0 (Official Build 256105). Running chrome with flag --gaia-url=the-url-to-the-page, a warning info-bar is displayed as shown in the attached screenshot.
343921.png
14.5 KB   View   Download
Cc: srsrid...@chromium.org
Labels: TE-Verified-35.0.1833.0
Sign in to add a comment

Powered by Google Project Hosting