Check Point experts reported a security issue with the Mac version of the Chrome Remote Desktop extension, which allows attackers to gain access to a user account without a password.
“Chrome Remote Desktop” is an extension for the Chrome browser that allows users to access their desktop computers from other computers or smartphones. The vulnerability discovered by researchers allows hackers to log in as a guest and access the session of another active user without having to enter a password.
To exploit the vulnerability, the account owner must first allow guests remote access to their computer. In addition, when a guest connects to a remote computer, there must be at least one active user in the session. To access the guest simply click on the “Guest” icon on the authorization screen.
It is assumed that remotely connected to the macOS local user will receive a guest session. On the remote computer, this is the case, but the local machine (with the Chrome extension) receives a session of another active user.
The researchers told Google about the problem, but the company did not consider it a security vulnerability and will not issue a fix.