Chrome completely deletes all extensions every time I open it

[Matthew]

See original (unhelpful) post on the help forum with copy of the debug log.

This problem started last week precisely when Chrome auto-updated to Version 58.0.3029.96 (64-bit)

When I opened Chrome yesterday, all my extensions were completely wiped out and deleted from disk (from the [datadir]/Default/Extensions folder). I manually re-installed each one. Interestingly, the preferences and passwords for each extension were restored - so that information was not wiped out. My bookmarks, history, and saved passwords were also intact. Today I open Chrome again and the exact same thing happened - all my extensions were wiped out without warning or anything. I manually re-installed each one AGAIN. 

I'm seeing the message "Chrome detected that some of your settings were corrupted by another program and reset them to their original defaults" in my settings tab. 

And here's probably where my problem is: I always start Chrome with the flag --user-data-dir= which targets an external encrypted hard drive to keep my history, extensions, preferences and passwords safe (I use Chrome on multiple different "public" computers at work). 

support.chrome.com says "Sometimes, programs that you install can change your Chrome settings without you knowing. For your safety, the browser checks if your settings have been changed every time you launch Chrome. If Chrome notices that something’s not right in your settings, it will automatically go back to the original settings."

...so I wonder if Chrome is trying to protect me from something and doing me a huge favor by deleting all my extensions. I wonder how it "knows" that settings have been changed? Is it storing a file somewhere else on the computer BESIDES the user data directory? That might explain the behavior.

[PhistucK]

If I remember correctly, the Preferences (or maybe the Secure Preferences) file contains the manifests (as well as some other details) of all of your extensions (as well as other settings, unrelated to extensions, of course).

It has extension paths in it - not relative ones, but absolute ones that include the drive. If you happen to be using a different drive letter, I guess Chrome would think that someone has tampered with the file and clear it somewhat.

Also, using different operating systems (or operating system versions, or architectures like 32 bit versus 64 bit) may have similar effects in one way or another, I would guess.

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.

[Matthew]

Hmmm... I'm using OSX. Can you tell me more about the "Secure Preferences"? I have the Chrome .plist files from ~/Library/Preferences/ but I don't think they are the culprit:

https://pastebin.com/gca6hik7

There are some preferences files also inside the custom dataDir, but so far I haven't been able to find anything that would necessarily change if I open Chrome on a different computer. Like, I haven't seen any paths that have the computer's name, just

/Volumes/myRemoveableDisk/myCustomChromeDataDir/

c

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[proberge]

Hi Matthew,

I think I'm the developer that caused your issue. I enabled some logic to sign and validate user preferences. However, we didn't expect that users would use the same user profile across several computers. The key used to sign and validate preferences is machine-specific: I think your settings will be reset every time you switch to a different machine. 

I'm sorry I broke your workflow. An alternative could be to use Chrome Sync to share your preferences across machines.

That wouldn't work for your developer-mode extensions, however. Are you comfortable uploading them to the Chrome Web Store?

Have a good day

[Matthew]

Thanks Proberge, this is pretty interesting. If you have a moment, could you tell me where the key is stored? (on OSX?) If it's just a flat file I could use a symlink. And if possible can I see in which commit you added the logic on googlesource.com? 

I discovered that signing in to the browser helps for almost everything, but I have been specifically trying to avoid using "the cloud" because I'm squeamish about privacy. In addition, I added

--load-extension=...

 flags to my Chrome startup script to import the developer extensions. So my workflow has changed to include signing into the browser each morning (with 2FA) and trusting the cloud with my data, not horrible!

Thanks again.
 

[John Thomas]

Hi proberge,

Thanks for being up-front about the cause of this.  I also have this problem, which is causing me a real headache when moving to a new machine with different drive letters.  It also makes it near impossible to run a portable version of Chrome from a USB key (ala Liberkey or similar; though I realize this isn't necessarily something you intend to support).

Might I suggest that automatically deleting things is, in general, almost always a bad solution to a problem, just because the potential for unintended damage is high.  I understand this is a security feature, and I think checking the extension locations is actually a good feature.  However I don't think the response from Chrome should be to automatically delete files with unexpected paths, since deletion is a destructive operation (and one that apparently leaves no log as to what was deleted, which is even more problematic).

Instead, might I suggest the following modifications to limit the damage:

• Ideal: Prompt the user to indicate that the locations of the extensions has changed and ask them if this is OK; if they say it's OK then accept (and if necessary change the internal path references to) the extensions, otherwise delete them.  This would address the potential security concerns of hijacked extensions in a non-destructive way, and provide a simple solution for people who have a legitimate reason for the file locations to have changed.
  
• Alternate: Rather than deleting the files, move them to a "quarantine" folder or something like that.  And then allow the user to just copy them from the quaratine folder to the normal extensions folder to re-enable them.
  

Final Note: I'd guess that the problem caused by this security feature affects as many or more people than the security issue it's trying to prevent, and that means it probably needs a little more work to lessen the impact.  When implementing security causes more problems than it solves, the malware developers still win :).

Thanks,

John

On Friday, May 26, 2017 at 6:35:15 AM UTC-7, proberge wrote:

[proberge]

Hi John,

It's indeed unfortunate that extensions which are invalidated by secure preferences get deleted. I'm not sure why that is; the decision to delete uninstalled extension's folders was done long before my time.

Chrome tends to be pretty opiniated; it tries to avoid forcing users to make decisions as they're trying to get something done. For most users, the prompt wouldn't make sense and would be confusing.

Moving the files to quarantine makes sense. I'm worried about the development and maintenance cost of adding that logic, however. 

A very small minority of users are ever going to copy their user-data directory to a USB key or to a new drive. I don't know if it's worth implementing a mitigation for a small edge case.

Furthermore, there's a few workarounds:

* For running Chrome from a USB key, you could add the --user-data-dir=/path/to/directory/outside/of/usb/key flag to the Chrome shortcut in order to avoid preference validation conflicts when moving the USB key to a different machine.

* In general, if you're trying to migrate a profile to a new machine, the Chrome Sync feature works well. There's an option to "Encrypt synced data with your own sync passphrase" if you're privacy-conscious. 

I'd guess that the problem caused by this security feature affects as many or more people than the security issue it's trying to prevent, and that means it probably needs a little more work to lessen the impact.

I'm curious as to why you think so. How would you estimate the number of impacted people? 

Have a good day

[pinh...@gmail.com]

Hi Proberge, I'm the OP, I do already use the `data-dir` flag to point Chrome to my secure removable volume. However, when I move the volume to a new computer Chrome deletes all the extensions without warning. Even though the path is the same on every machine (in OSX: "/Volumes/MyDrive")

The only way I could work around this problem is by signing in to Chrome, which I was really trying to avoid because I don't want all that data in the cloud. Now when I open Chrome on a new machine I have to sign in, which re-downloads and installs all my extensions. Amazingly, the passwords and stored data for each extension are still intact and they just pop back up... After each newly re-installed extension splashes its "thanks for downloading" page :-/ this is my daily routine now.

[proberge]

Hi Matthew,

User-data-dir won't fix your issue since you're using the removable volume to move your user account between machines (as opposed to using a removable volume to have a portable Chrome executable). 

> After each newly re-installed extension splashes its "thanks for downloading" page :-/ this is my daily routine now.

Could you file a bug for this? If the passwords and stored data for each extension are still intact, it's surprising that Chrome thinks its a new extension installs and shows the "thanks for downloading" page. 

[pinh...@gmail.com]

My actual Chrome.app executable is also on the removable drive. I launch it with a custom script that includes the data dir flag.

How should I file a bug report? I admit I'm an obscure kinda edge case...

[proberge]

Hi Matthew,

How should I file a bug report? I admit I'm an obscure kinda edge case...

You can file a bug report at https://bugs.chromium.org/p/chromium/issues/entry.

You're hitting this issue more often than most users since you're using a different machine every day.

However, there's lots of users who sync their profile to a new device from time to time. 

I don't think it makes sense for the splash pages to show up in either case.

[pinh...@gmail.com]

Repeating my comment from the bug-report thread at https://bugs.chromium.org/p/chromium/issues/detail?id=810130#c8

The security feature where Chrome completely wipes all data (extensions, passwords, cookies) is remarkably disruptive. Is there a command line switch to disable it?

I start Chrome from removable media with a set of command line switches that:

- enable verbose logging

- specifies a specific datadir

- loads all my extensions using `--load-extension=...` which I had to start doing because Chrome kept DELETING them on every single startup!

PLEASE PLEASE PLEASE add a `--disable-destructive-security-wipe` flag so I can resume using this browser!