I noticed a strange behavior in Google’s latest Chrome developer build. I’m not sure if the problem exists in other versions of the Chrome browser as well, but it is likely that it does.
Whenever you download a file with the Google Chrome web browser you see a small confirmation dialog at the bottom of the screen if the file can potentially be harmful to the computer. Options presented by that small dialog are to save the file, or to discard it.
Update: In the most recent version of Google Chrome, the dialog has changed slightly. The message now reads “This type of file can harm your computer. Do you want to keep [filename] anyway?”.
Options presented are to keep the file or to discard it. Keeping is the equivalent of save, but a better indication that the file has already been saved to the system.
Imagine my surprise that the file was already in the download directory of my computer even though I did not select one of the two options for that file.
Google Chrome apparently starts the download right away but renames the file until the user has made the decision whether to save the file or discard it.
The file is named unconfirmed xxxxx.download for the time being. It is however the complete file and it can be executed or unpacked right from there, all without the users confirmation.
This type of file can harm your computer. Are you sure you want to download [filename]?
A click on the discard button removes the file from the download directory again while the save button renames it to its original file name. Closing the web browser has the same effect as selecting the discard button.
This is obviously not a huge problem but it definitely makes the confirmation dialog less secure. It would be better if the web browser would start the download only after the user’s confirmation, or to use a temporary directory to preload the file and move it to the download directory after it has finished and the user has accepted the download.
One of the main issues with Chrome flagging downloads as potentially harmful is that there is a chance of false positives. False positives are legitimate files that are not malicious or harmful, but that are flagged as such.