For those who have access to flags, incognito

[s0urce-c0de]

https://crbug.com/341245382 (not by me, i did not discover this)

DESCRIPTION [email protected] created issue #1

May 17, 2024 06:46AM

Security Bug

Important: Please do not change the component of this bug manually.

Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/faq.md

Please see the following link for instructions on filing security bugs: https://www.chromium.org/Home/chromium-security/reporting-security-bugs

Reports may be eligible for reward payments under the Chrome VRP: https://g.co/chrome/vrp

NOTE: Security bugs are normally made public once a fix has been widely deployed.

---

VULNERABILITY DETAILS
On Chrome OS, you can open an Incognito browsing window through the flag #captive-portal-popup-window even when the policy IncognitoModeAvailability equals 1 which should disable Incognito mode.

VERSION
Chrome Version: Tested on 124.0.6367.154 (Official Build) (64-bit), but the code path is still present in the HEAD on Chromium Code Search.
Operating System: Chrome OS 124.0.6367.154 (Official Build) (64-bit)

REPRODUCTION CASE

1. Ensure Incognito is disabled by IncognitoModeAvailability = 1.
2. Enable #captive-portal-popup-window in flags.
3. Trigger a captive portal notification by connecting to a network with a captive portal or by setting the DNS to one which triggers a captive portal.
4. Click 'Sign in' to open the captive portal popup.
5. With the captive portal popup focused, press Control-T. This will open a new incognito window, bypassing policy. You can now close the captive portal popup and switch to a working DNS or network.
   NOTE: You can also right-click -> View Source if DeveloperToolsAvailability allows such.

CODE PATH
The main problem is here. It explicitly checks if Incognito is disabled by policy, but if it is, it runs the same code as if not. The comment says:
Since the signin window enables extensions and disables navigation, no special handling is required when Incognito browsing is disabled by policy.
But the function it calls (definition here) uses an OTR profile regardless of IncognitoModeAvailability, and does not enable extensions as the comment asserts. To fix the problem, I would change the first file (chrome/browser/ui/ash/network/network_portal_signin_controller.cc) to not open the popup window if Incognito is disabled, as even if only the Control-T is disabled as a "fix", one can still run their own DNS server which will display something like Google in the captive portal, and bypass filtering.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
N/A

CREDIT INFORMATION
Externally reported security bugs may appear in Chrome release notes. If this bug is included, how would you like to be credited?
Reporter credit: @️​joshuajohncohen (GitHub)

Instructions for skids:

• go to chrome://flags/#captive-portal-popup-window
• if it didn't work, UPGRADE CHROME
• enable it
• restart
• hope your flags are still there. if they are continue, else you can't set flags
• use a dns which gives you a captive portal
• click CTRL+T after clicking sign in
• INCOGNITO MODE
• if it didn't work, might get patched.

EDIT:
THIS IS NOT MY SCHOOL, THIS IS THE IMAGE FROM THE BUG REPORT I ATTACHED.

If this gets patched, it is not my fault. This is listed as a Severity 4 Priority 4 Security Bug on the bug reporter.
I don't know if this is the correct dns, but lots of people say you can use detectportal.firefox.com as the DNS

[S-PScripts]

looks like the incognito exploit is back but easier?!

[S-PScripts]

what dns would open a captive hmm

[S-PScripts]

i think you doxxed your school i think you should edit and delete the first revision

[S-PScripts]

IT WORKS

[S-PScripts]

THE INCOGNITO EXPLOIT IS BACK

DNS TO USE: detectportal.firefox.com (from https://github.com/jee1mr/captive-portal)

[S-PScripts]

Also unblocks extensions!!!!!!!!!!!!!!!!!!! just like the original one

also make sure to change name server back to automatic

[akabutnicer]

since when could it ever do this?

[S-PScripts]

uh it opened the old incognito exploit captive tab too (separately) lol

i tried using the old incognito exploit DNS (52.207.185.90) but it didn't work

i guess it did but i didn't get the sign in popup??

[S-PScripts]

[S-PScripts]

the right was unintentional since i didnt notice , the left was what i did

[S-PScripts]

@AshtonDavies

[S-PScripts]

@Brandon421-ops

[S-PScripts]

Here's a version I wrote on this
The incognito exploit is BACK! (v124)

Instructions:

1. Go to chrome://flags/#captive-portal-popup-window.
2. If it doesn't exist, make sure to update chromeOS to the latest version.
3. Enable it.
4. Restart.
5. If the flag didn't reset, you can continue. Else you cannot.
6. Go to Settings.
7. Click Wifi in the Network section.
8. Click your wifi.
9. Click Network.
10. Set Name servers to Custom name servers.
11. Set the first box to detectportal.firefox.com.
12. A sign in pop up should appear from your wifi. Click Sign in.
13. Do CTRL+T - YOU'RE NOW IN INCOGNITO MODE!
14. Set Name servers back to what it was before.

Notes:
-> Extensions can't block you!
-> No search history!

Credits:
https://crbug.com/341245382
https://github.com/s0urce-c0de for finding the post

[S-PScripts]

ok

[S-PScripts]

I found a similar way to access incognito via WiFi. But I'm still confused on some parts of it.

I've never got the thing you said happen over in your issue

https://s-pscripts.github.io/incognito-v123/ is the new link for my incognito btw since the one on may 31 was changed

[s0urce-c0de]

oh ok that is why the old link didn't work

[op-max]

Perhaps the reason it does not work for most people is the network type. Different companies like Verizon manage DNS servers differently.

[S-PScripts]

Perhaps the reason it does not work for most people is the network type. Different companies like Verizon manage DNS servers differently.

note: i did find the incognito via wifi actually, its in the link (method 2) https://s-pscripts.github.io/incognito-v123/ . However, it's not exactly the same as yours.

i used ee wifi

[S-PScripts]

lots of people xd its just me yapping

ngl why are more people not actually talking about this- it's actually good

[s0urce-c0de]

where is that policy?

[s0urce-c0de]

my login screen i need internet+email+password

[S-PScripts]

my login screen has the wifi already on and email set

i just put the password

not sure what policy flags is

[s0urce-c0de]

probably a device flag

[S-PScripts]

yes

[brobcoolguy]

does this still work? im on v126 and after activating the flag the signin popup doesnt open in a seperate portal, just in a chrome tab

[S-PScripts]

im on v127 and it somehow works still

[wvminecraftkid]

me too it might be because the school uses a proxy

[ec4949]

no longer works on 128 :(

[S-PScripts]

indeed

[akabutnicer]

indeed

[AshtonDavies]

indeed