Chrome: trick users into giving access to all files on local disk (2016)

The use of the word "trick" here is well-warranted. This is really more of a UI thing (i.e. it's a little too easy for a user to accidentally click "Ok"). Applications have responded to concerns like this by just having the "Ok" button be non-clickable for a full second after appearing.

Personally I'm using firejail (and drop Chrome since few months) so... In any case the problem of modern browsers is that they are monster with a so big and so "closely developed" codebase that even if open no one, perhaps many devs included, really know it enough. And the trend is more and more to add features...

> fortunately, on Linux, the exploit (even the limited one in #2) simply crashes Chrome after grinding for a while.

This is the title of the bug:<p>Security: Read all local files using minimal user interaction and gesture laundering<p>The title here on HN should include some combination of &quot;bug&quot;, &quot;security&quot;, &quot;fixed&quot;, and &quot;gesture laundering&quot;. The way it&#x27;s written now sounds like Chrome&#x27;s designers are _trying_ to trick users into giving file access permissions. That&#x27;s not the case.

I&#x27;m confused what happens here. Sure, you are tricked into pressing Return in a file open dialog. But you can&#x27;t open the “file” `C:\`… right? Does that somehow let the page access files on the disk?

The beginning of a new class of user-interface attack?

Fixed in v.66?