I have noticed a strange behavior in Google’s latest Chrome developer build. I’m not sure if the problem exists in other versions of the Chrome browser as well but it is likely that it does.
Whenever you download a file with the Google Chrome web browser you see a small confirmation dialog at the bottom of the screen if the file can potentially be harmful to the computer. Options presented in that small dialog are to save the file or to discard it.
Imagine my surprise that the file was already in the download directory of my computer even though I did not select one of the two options for that file.
Google Chrome apparently starts the download right away but renames the file until the user has made the decision whether to save the file or discard it.
The file is named unconfirmed xxxxx.download for the time being. It is however the complete file and it can be executed or unpacked right from there, all without the users confirmation.
A click on the discard button removes the file from the download directory again while the save button renames it to its original file name. Closing the web browser has the same effect as selecting the discard button.
This is obviously not a huge problem but it definitely makes the confirmation dialog less secure. It would be better if the web browser would start the download only after the user’s confirmation or to use a temporary directory to preload the file and move it to the download directory after it has finished and the user has accepted the download.
Continua a leggere – Original Link: Google Chrome Downloads Files Before User Confirmation