Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Sep 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Security: UXSS via com.android.browser.application_id Intent extra
Reported by websec02...@gmail.com, Aug 25 2012 Back to list
VULNERABILITY DETAILS
By sending a crafted intent to Chrome for Android, malicious Android
apps can inject javascript: URIs into arbitrary Web pages loaded
in Chrome. Injected javascript works in the context of the target
Web page's domain, not a blank domain. So it can be used for Cookie
theft or so. Such kind of vulns is often called Cross-Application
Scripting.

VERSION
Chrome Version: Chrome for Android v18.0.1025123
Operating System: confirmed on Android 4.0.4 (Samsung Galaxy Nexus)

REPRODUCTION CASE
A sample code of a malicious Android app is attached.

NOTE
This issue was initially repoted to security@google.com on Jul. 7
2012, but recently I heard from Google security team that the issue
might not be filed in Chromium bug database. So now I re-submit
the issue here which should be a legitimate place for reporting
Chrome bugs.

 
poc1.txt
1.4 KB View Download
Comment 1 by jsc...@chromium.org, Aug 26 2012
Owner: palmer@chromium.org
@palmer - I believe these are fixed on their trunk but you'd know best.
Comment 2 by palmer@google.com, Aug 27 2012
Cc: klo...@chromium.org srikanth@chromium.org
Labels: -Area-Undefined Area-Internals OS-Android
No, this is a new bug that I don't think we have seen or dealt with yet. Thanks again Takeshi! I'm working on setting up and Android dev environment on my new machine so I can repro it, and I'll fill in the rest of the tags once I have done so.
Comment 3 by palmer@chromium.org, Aug 27 2012
Cc: -klo...@chromium.org palmer@chromium.org
Labels: -Pri-0 Pri-2 SecImpacts-Stable SecImpacts-Beta Mstone-18 SecSeverity-Medium
Owner: klo...@chromium.org
Status: Assigned
Summary: Security: UXSS via com.android.browser.application_id Intent extra (was: NULL)
I have reproduced this. Nice! Updating the summary line.

So the next question is, what are the potential fixes? Here are some random ideas:

* Do we need this Intent extra? If not, can we get rid of it?

* Require that new URLs received via Intent with the com.android.browser.application_id Intent extra have the same origin as the current URL in the tab; if the origins don't match, start a new tab or reject/ignore the Intent.

* Ignore javascript: URIs received via Intents.
Comment 4 by palmer@chromium.org, Aug 27 2012
Labels: reward-topanel
Cc: vinodkr@chromium.org
Pri-2 / SecSeverity-Medium - so not making it into M18.1. We will consider for M18.2 
Comment 6 by klo...@chromium.org, Aug 29 2012
Chris, need a little detail. How does this work? Does it because we open an intent in the same tab due to application_id match?
Comment 7 by palmer@chromium.org, Aug 29 2012
Yes. The meat of the problem seems to be this line from Takeshi's poc1.txt (attached, see above):

    // Need a trick to prevent Chrome from loading the new URL in a new tab
    intent2.putExtra("com.android.browser.application_id", "com.android.chrome");


Cc: klo...@chromium.org
Owner: nileshagrawal@chromium.org
Labels: ReleaseBlock-Stable
Cc: mkosiba@chromium.org
Labels: -Pri-2 Pri-1
Status: Fixed
Labels: -reward-topanel reward-unpaid reward-500
Thank you, Takeshi! This report qualifies for a $500 Chrome security reward.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Project Member Comment 16 by bugdroid1@chromium.org, Oct 14 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: -reward-unpaid
Project Member Comment 18 by bugdroid1@chromium.org, Jan 18 2013
Labels: Restrict-View-EditIssue
Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.
Project Member Comment 19 by bugdroid1@chromium.org, Jan 18 2013
Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.
Project Member Comment 20 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -SecImpacts-Stable -SecImpacts-Beta -Mstone-18 -SecSeverity-Medium Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium M-18 Cr-Internals Type-Bug-Security
Project Member Comment 21 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityTeam
Labels: -Restrict-View-EditIssue
Project Member Comment 24 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 25 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 26 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 27 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 28 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 29 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 30 by sheriffbot@chromium.org, Oct 2 2016
Labels: Restrict-View-SecurityNotify
Labels: allpublic
Project Member Comment 32 by sheriffbot@chromium.org, Oct 3 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment