Chromium source accidentally contained test malware

Google this afternoon alerted Chromium developers about the possibility that they were exposed to malware used for testing due to an internal “oversight.”

The open-source nature of Chromium means that anybody can take the code to create their own browser. That Chromium source code repository from September 9 to November 18 contained “some test Office documents that included some unshielded malware.” Google notified Chromium developers of this error in an email on Friday afternoon.

These samples were inadvertently committed to the repository without obfuscation in the process of testing the security feature to detect the presence of malware distributed through macros in Office documents. These test files were not included in any Chrome release.

Security researchers have a need to use sample malware files for the purposes of automated testing of detection. The best practice in these cases is to obfuscate such files so that they cannot be accidentally opened or executed. In this case, we didn’t do that, potentially exposing Windows developers to accidental infection if they were to open these files themselves (i.e. by browsing to the Chromium source checkout folder and double-clicking on the Office document).

Google explicitly says that users of Chrome and other Chromium-based browsers, e.g. Microsoft Edge, are not impacted. Specifically, “Chromium/Chrome does not, and has never included any of these files, so users of those products are at no risk.”

Rather, the Chromium team made this disclosure for developers. That said, the Windows malware was five years old and the .doc and .docx test files in question have to be manually opened to cause infection.

3. We have confirmed that the malware itself is inactive as of this writing.

4. Tests using these files do not trigger the malware, so incidental infection via running tests would not have occur[r]ed.

5. The Chromium repo synced past Nov 18th, 2021 does not pose a risk to developers. 

As such, the company believes that it’s “exceedingly unlikely that any contributors were infected by this malware” and that there have been no “reports of any contributors being infected by opening these files.”