Google Chrome Downloads Files Before User Confirmation

Martin Brinkmann
Mar 18, 2010
Updated • Aug 30, 2016
Google Chrome

I noticed a strange behavior in Google's latest Chrome developer build. I'm not sure if the problem exists in other versions of the Chrome browser as well, but it is likely that it does.

Whenever you download a file with the Google Chrome web browser you see a small confirmation dialog at the bottom of the screen if the file can potentially be harmful to the computer. Options presented by that small dialog are to save the file, or to discard it.

Update: In the most recent version of Google Chrome, the dialog has changed slightly. The message now reads "This type of file can harm your computer. Do you want to keep [filename] anyway?".

Options presented are to keep the file or to discard it. Keeping is the equivalent of save, but a better indication that the file has already been saved to the system.

this type of file harm your computer

Imagine my surprise that the file was already in the download directory of my computer even though I did not select one of the two options for that file.

Google Chrome apparently starts the download right away but renames the file until the user has made the decision whether to save the file or discard it.

The file is named unconfirmed for the time being. It is however the complete file and it can be executed or unpacked right from there, all without the users confirmation.

This type of file can harm your computer. Are you sure you want to download [filename]?

A click on the discard button removes the file from the download directory again while the save button renames it to its original file name. Closing the web browser has the same effect as selecting the discard button.

This is obviously not a huge problem but it definitely makes the confirmation dialog less secure. It would be better if the web browser would start the download only after the user's confirmation, or to use a temporary directory to preload the file and move it to the download directory after it has finished and the user has accepted the download.

One of the main issues with Chrome flagging downloads as potentially harmful is that there is a chance of false positives. False positives are legitimate files that are not malicious or harmful, but that are flagged as such.

Google Chrome Downloads Files Before User Confirmation
Article Name
Google Chrome Downloads Files Before User Confirmation
Did you know that Google Chrome downloads files that it considers harmful fully to the local system despite displaying a prompt in its interface?
Ghacks Technology News

Previous Post: «
Next Post: «


  1. James said on July 4, 2011 at 11:57 pm

    My late 2c. I agree with Martin that there should be a way to disable it… in all browsers… even if it is not a security threat.

    This is an optimization feature, but it assumes ample network capacity. With 3G, usage limits are back. It is all too easy to be directed to a large download, incur a significant use without the user confirming it. The default option to download in the background is fine. But the user should be able to disable it when it is not in his interest. I expect this much from open source browsers.

    To Neelesh… this is not for exe files only. I just noticed it over a large PDF.

  2. Neelesh said on March 21, 2010 at 8:18 am

    I think, this confirmation is only displayed when an exe is being downloaded.

  3. ViceVersa said on March 18, 2010 at 12:09 pm

    Useful but potentially dangerous, e.g. a pre-existing Trojan can watch for a certain sequence coming in, be it a new DDOS script or a binary update. Using a temp dir and a random file name may help a bit but is not a solution. Should be a toggle in the security settings.

  4. BOB said on March 18, 2010 at 10:07 am

    Firefox also does the same for awhile already, I find it useful actually.

  5. Alex said on March 18, 2010 at 9:44 am

    Lol this proves techblog writers really don’t know everything about tech.

    1. Bred Floggs said on December 8, 2013 at 6:16 pm

      >> Sorry, you are wrong – I quote:
      He is passionate about all things tech and knows the Internet and computers like the back of his hand.

      Oh. OK actually, he doesn’t, and you are, actually, correct.

  6. shrewm said on March 18, 2010 at 9:34 am

    I don´t think that this is not a bug but a feature. The latest ~30 builds of chromium and chrome act like this. And since the temp-downloaded file is not executable, I don´t think it´s a security problem.

    1. Martin said on March 18, 2010 at 10:05 am

      I think it is convenient but since the file can be renamed or extracted it can be a problem. It would be better if they would place it in a temporary directory until the user confirms the download.

      1. shiv said on March 24, 2011 at 6:09 am

        corect. do you have any idea.. other than this, to save or download file without asking any permission??????

      2. Martin Brinkmann said on March 24, 2011 at 10:40 am

        I have not found an option to disable it.

  7. Rarst said on March 18, 2010 at 9:32 am

    Point is other browsers make temporary downloads in temporary folders. In the trash, not in the middle of legit files.

  8. Miguel said on March 18, 2010 at 9:28 am

    Opera does the same. I love it to be like that, sometimes you open in the background some download link and forget about it, it’s nice that the download is ready when I get back to that tab.
    As for security, come on! you don’t even have a point there.

  9. stoinov said on March 18, 2010 at 9:25 am

    This is the same behavior as FF has. And I don’t think it’s that insecure. As you mentioned the file cannot be run by default, but can still be renamed. So to secure the method more maybe they should make unable rename until you click save. I think its easy to implement solution.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.