3
0
I've recently installed Opera browser in unattended mode (using Chocolatey: choco install opera). When I opened it for the first time, Opera had all my bookmarks imported from Chrome (unwanted, but OK).
Then I clicked on GMail in the Opera bookmark bar, and to my huge surprise, it loaded my Gmail account without asking me to authenticate first. I was able to read my email as though I was still in Chrome.
Apparently, Opera has somehow imported my Google account OAuth2 tokens from my Chrome profile under "%LOCALAPPDATA%\Google\Chrome\User Data\..." and it's able to make a use of them, perhaps because it also uses Chromium as its rendering engine.
IMO, this is a problem with how Chrome protects its local user profile data. To me, it's both undesirable and scary. I would at least expect Chrome to use something like Windows Data Protection API (DAPI) to encrypt its sensitive data.
Is there any way I can prevent other programs (like Opera) form poking their noses into my Chrome local profile, besides by not installing them?
Updated, I reported this to Chrome team, and they have dismissed the issue for the following reason: Why aren't physically-local attacks in Chrome’s threat model?
Ironically, remedies like PKCE have been put in place to protect access tokens from malicious local actors in the OAuth2 authorization flow. I struggle to understand how existence of PKCE sides with Chrome's stance on local attacks.
I personally don't think the mitigation of that attack vector should be completely ignored. From a user prospective, as soon as I've provided my password to Chrome for encrypted data sync'ing, I'd expect it to be stored using the underlying OS API for storing secrets.
DPAPI, being that API for Windows, can't fully protect applications from each other, but it does rather a good job mitigating that. It presets the user with a standard OS dialog, requesting to authorize the access:
This screenshot is from running an example from the online DPAPI docs. Note how the system UI shows the location of the app trying to access the secret, so it's my choice as an informed user whether to grant the access or not.
Of course, a malware can still spoof that UI, but this is not something that a legit, code-signed and generally trusted software like Opera would do. If Chrome used DPAPI, Opera would have to use it too, for their import-from-Chrome feature to work. Invoked by Opera, the DPAPI UI would prompt me to authorize the access to Chrome's local data, and I would have an option to reject it.
Updated, there's a sign that Chromium team may address this issue in the future.
noseratio
Posted 2019-10-04T10:08:47.690
Reputation: 465
Does installing Opera from its official installer also imports Chrome's auth tokens? – Biswapriyo – 2019-10-08T05:17:22.840
@Biswapriyo, yes it does, all checkboxes are ticked by default: https://imgur.com/mAjXQx2.
– noseratio – 2019-10-08T05:37:30.550Here's the full installer link at the time of posting this: https://get.geo.opera.com/pub/opera/desktop/63.0.3368.71/win/Opera_63.0.3368.71_Setup_x64.exe
– noseratio – 2019-10-08T05:39:29.983These days Opera is just a reskinned Chrome. So its not even really a local attack. You read Chrome's data with one version of Chrome, or another version of Chrome. I don't really see how we can help answer the question as, as you say, it comes down to Google's programming. – Sir Adelaide – 2019-10-10T07:07:19.343
@SirAdelaide, I tend to agree there's not much we can do, although I'm still not happy that anything I might be running on my PC could potentially read/exploit my Chrome tokens. Also, while I'm not the only one concerned, I'm surprised most people don't see this as a Chrome issue. I even considered using Chrome under a separate dedicated user account (e.g.:
– noseratio – 2019-10-10T08:37:59.257RUNAS /user:ChromeUser "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"), and giving up on using it as the default browser for external links.1
Ideas : (1) Run Chrome under a another user account and only give this account permission to access the Chrome folder, (2) Stash away the Chrome folder in a safe place, for example a sandbox of Sandboxie and run Chrome via Sandboxie.
– harrymc – 2019-10-10T14:25:43.350@harrymc, I must have lived under a rock as I've never heard of Sandboxie. Sounds like Docker for GUI apps :) – noseratio – 2019-10-10T19:30:09.390
1Sandboxie is a security product for isolating suspicious programs, redirecting their file and registry modifications into a sandbox area and not into the real system. A product that discovers that your Chrome folder is in
C:\pathwill still be blocked because no such folder will exist inside the "normal" file system, but only in the "shadow" file system. – harrymc – 2019-10-10T19:57:06.010