Google Chrome Downloads Files Before User Confirmation - gHacks Tech News

Google Chrome Downloads Files Before User Confirmation

I noticed a strange behavior in Google's latest Chrome developer build. I'm not sure if the problem exists in other versions of the Chrome browser as well, but it is likely that it does.

Whenever you download a file with the Google Chrome web browser you see a small confirmation dialog at the bottom of the screen if the file can potentially be harmful to the computer. Options presented by that small dialog are to save the file, or to discard it.

Update: In the most recent version of Google Chrome, the dialog has changed slightly. The message now reads "This type of file can harm your computer. Do you want to keep [filename] anyway?".

Options presented are to keep the file or to discard it. Keeping is the equivalent of save, but a better indication that the file has already been saved to the system.

this type of file harm your computer

Imagine my surprise that the file was already in the download directory of my computer even though I did not select one of the two options for that file.

Google Chrome apparently starts the download right away but renames the file until the user has made the decision whether to save the file or discard it.

The file is named unconfirmed xxxxx.download for the time being. It is however the complete file and it can be executed or unpacked right from there, all without the users confirmation.

This type of file can harm your computer. Are you sure you want to download [filename]?

A click on the discard button removes the file from the download directory again while the save button renames it to its original file name. Closing the web browser has the same effect as selecting the discard button.

This is obviously not a huge problem but it definitely makes the confirmation dialog less secure. It would be better if the web browser would start the download only after the user's confirmation, or to use a temporary directory to preload the file and move it to the download directory after it has finished and the user has accepted the download.

One of the main issues with Chrome flagging downloads as potentially harmful is that there is a chance of false positives. False positives are legitimate files that are not malicious or harmful, but that are flagged as such.

Summary
Google Chrome Downloads Files Before User Confirmation
Article Name
Google Chrome Downloads Files Before User Confirmation
Description
Did you know that Google Chrome downloads files that it considers harmful fully to the local system despite displaying a prompt in its interface?
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. stoinov said on March 18, 2010 at 9:25 am
    Reply

    This is the same behavior as FF has. And I don’t think it’s that insecure. As you mentioned the file cannot be run by default, but can still be renamed. So to secure the method more maybe they should make unable rename until you click save. I think its easy to implement solution.

  2. Miguel said on March 18, 2010 at 9:28 am
    Reply

    Opera does the same. I love it to be like that, sometimes you open in the background some download link and forget about it, it’s nice that the download is ready when I get back to that tab.
    As for security, come on! you don’t even have a point there.

  3. Rarst said on March 18, 2010 at 9:32 am
    Reply

    Point is other browsers make temporary downloads in temporary folders. In the trash, not in the middle of legit files.

  4. shrewm said on March 18, 2010 at 9:34 am
    Reply

    I don´t think that this is not a bug but a feature. The latest ~30 builds of chromium and chrome act like this. And since the temp-downloaded file is not executable, I don´t think it´s a security problem.

    1. Martin said on March 18, 2010 at 10:05 am
      Reply

      I think it is convenient but since the file can be renamed or extracted it can be a problem. It would be better if they would place it in a temporary directory until the user confirms the download.

      1. shiv said on March 24, 2011 at 6:09 am
        Reply

        corect. do you have any idea.. other than this, to save or download file without asking any permission??????

      2. Martin Brinkmann said on March 24, 2011 at 10:40 am
        Reply

        I have not found an option to disable it.

  5. Alex said on March 18, 2010 at 9:44 am
    Reply

    Lol this proves techblog writers really don’t know everything about tech.

    1. Bred Floggs said on December 8, 2013 at 6:16 pm
      Reply

      >> Sorry, you are wrong – I quote:
      He is passionate about all things tech and knows the Internet and computers like the back of his hand.

      Oh. OK actually, he doesn’t, and you are, actually, correct.

  6. BOB said on March 18, 2010 at 10:07 am
    Reply

    Firefox also does the same for awhile already, I find it useful actually.

  7. ViceVersa said on March 18, 2010 at 12:09 pm
    Reply

    Useful but potentially dangerous, e.g. a pre-existing Trojan can watch for a certain sequence coming in, be it a new DDOS script or a binary update. Using a temp dir and a random file name may help a bit but is not a solution. Should be a toggle in the security settings.

  8. Neelesh said on March 21, 2010 at 8:18 am
    Reply

    I think, this confirmation is only displayed when an exe is being downloaded.

  9. James said on July 4, 2011 at 11:57 pm
    Reply

    My late 2c. I agree with Martin that there should be a way to disable it… in all browsers… even if it is not a security threat.

    This is an optimization feature, but it assumes ample network capacity. With 3G, usage limits are back. It is all too easy to be directed to a large download, incur a significant use without the user confirming it. The default option to download in the background is fine. But the user should be able to disable it when it is not in his interest. I expect this much from open source browsers.

    To Neelesh… this is not for exe files only. I just noticed it over a large PDF.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.