| Issue 343921: | Add more security-relevant flags to the bad flags infobar | |
| 4 people starred this issue and may be notified of changes. | Back to list |
Sign in to add a comment
|
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36 Steps to reproduce the problem: 1. Create a phishing page that looks like the Google Account login page and steals the entered credentials. 2. Specify --gaia-url=the-url-to-the-page when starting Chrome. What is the expected behavior? Some overlay that reads something like - "Beware - testing only, enter credentials only if you know why you see this message". What went wrong? My credentials have just been stolen. Did this work before? N/A Chrome version: 32.0.1700.107 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 12.0 r0 While it is a low risk and there are a lot of ways someone can do harm when they have any access to the computer (enough to add a command line flag), I think it is a pretty easy way to steal important credentials.
Feb 14, 2014
#1
phistuck
Feb 14, 2014
And --disable-web-security.
Feb 14, 2014
Maybe also --sync-allow-insecure-xmpp-connection.
Feb 14, 2014
And --sync-url.
Feb 14, 2014
And maybe - --translate-script-url --translate-security-origin --trusted-spdy-proxy --wallet-secure-service-url
Feb 14, 2014
There are indeed a lot of flags that would reduce or annihilate Chrome's security. These flags should not be used by non developers. Some flags such as --no-sandbox display an overlay like the one you mention, but most flags are not labeled in this way. I'm routing to security-UX in case it's something they would want to look into, but my guess is that we would continue the current approach: label dangerous flags only if there is some evidence that regular users a misusing them (such as --no-sandbox).
Status:
Available
Cc: f...@chromium.org Labels: Security_Impact-None Security_Severity-None Cr-Security-UX
Feb 14, 2014
I don't think these flags are within our threat model. If you can add a command line flag to a user's default Chrome install, you can also install a malicious extension or a keylogger. If someone is adding a flag to their own Chrome, they probably have some idea of what it does. WIth that being said, I wouldn't be *opposed* to someone else going and adding a non-dismissible red infobar for scary flags.
Feb 14, 2014
We already have a dismissible yellow infobar. :) If a good samaritan wants to compile a list of bad flags it's very easy to add them here: https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/ui/startup/bad_flags_prompt.cc&l=29&q=KBadFlags&sq=package:chromium I leave the scariness of the infobar up to anyone else, but I will fix the flags on this to properly make it a security feature bug.
Labels:
-Restrict-View-SecurityTeam -Type-Bug-Security -Security_Impact-None -Security_Severity-None Cr-Security Type-Bug
Feb 15, 2014
Can you at least add the ones this issue mentions?
Feb 24, 2014
(No comment was entered for this change.)
Owner:
f...@chromium.org
Cc: -f...@chromium.org
Feb 24, 2014
I added a bunch in https://codereview.chromium.org/178803004 (from here + some other grepping). Focus is on ones that really could be abused. Taking suggestions for more, if anyone has any.
Feb 24, 2014
(No comment was entered for this change.)
Status:
Started
Feb 28, 2014
(No comment was entered for this change.)
Summary:
Add more security-relevant flags to the bad flags infobar
(was: --gaia-url endangers Google account credentials)
Mar 6, 2014
------------------------------------------------------------------------ r255314 | felt@chromium.org | 2014-03-06T11:40:04.391287Z Changed paths: M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/startup/bad_flags_prompt.cc?r1=255314&r2=255313&pathrev=255314 Apply the bad flags infobar to some more security-relevant flags BUG=343921 Review URL: https://codereview.chromium.org/178803004 ------------------------------------------------------------------------
Mar 6, 2014
(No comment was entered for this change.)
Status:
Fixed
Mar 11, 2014
Tested the issue on Windows 8 OS - canary 35.0.1883.0 (Official Build 256105). Running chrome with flag --gaia-url=the-url-to-the-page, a warning info-bar is displayed as shown in the attached screenshot.
Cc:
srsrid...@chromium.org
Labels: TE-Verified-35.0.1833.0 |
||||||||||
| ► Sign in to add a comment | |||||||||||