New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Last visit > 30 days ago
Closed: Oct 2014
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security

Sign in to add a comment
Security: handleAuthenticatorUrl to launch any activity from web page
Reported by, Oct 9 2014 Back to list
handleAuthenticatorUrl in
can launch unintended activity (those without BROWSABLE category) on phone.

Chrome Version: Chrome for Android 37.0.2062.117
Operating System: Android 4.4.2


open the following html in chrome will start Settings applications in Android

var url = "intent:#Intent;;SEL;;end";
location.href = url;

another example url to launch camera application:
var url = "intent:#Intent;;SEL;;end";

Labels: OS-Android Security_Severity-High Security_Impact-Stable Cr-Mobile-Intents
Status: Available
Thanks for the report.

Adding some ccs from bug 370399. Does anyone know who a good owner for this might be?
+CC jaekyun@ who's currently working in that area. Jaekyun, you want to take this on?
FTR: since the code in handleAuthenticatorUrl looks like it's copy-pasted from UrlHandler it should be easy to port the fixes from 370399.
Project Member Comment 4 by, Oct 9 2014
Labels: M-38 Pri-1
I will take a look at this issue.
I've uploaded to fix this issue.

Project Member Comment 7 by, Oct 10 2014
The following change refers to this bug:
Labels: Merge-Requested
Status: Started
Labels: -Merge-Requested
My change is reverted because it caused lint error.

So I've uploaded after fixing the lint error.

Labels: Merge-Requested
The change is landed successfully.
BTW, isn't M38 already released? Maybe we only need to merge the patch into M39 because this isn't any regression.
Labels: -M-38 M-39
38 has been released, per comment 11, punting to 39. 
Labels: -Merge-Requested Merge-Approved
merge approved for m39 branch 2171
Labels: -Merge-Approved Merge-Merged
Status: Fixed is just merged to m39.
Project Member Comment 16 by, Oct 14 2014
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 17 by, Oct 16 2014
Note that explicit intent can also be used here (instead of using selector) to bypass security check.
An interesting exploit would be to start a voice dialer while playing a voice command with Web Audio API.

var url = "intent:#Intent;;;end";

see attachment.

2.0 KB View Download
My patch covers that explicit intent as well because it resets component information of both an intent and a selector in an intent.

Labels: Release-0-M39
Labels: reward-topanel
Comment 21 by, Nov 13 2014
Chrome 39 for android is out, when will this issue get a CVE identifier?
What is a CVE identifier?
Comment 23 by, Nov 13 2014
please see
for example, in the following release notes, a CVE identifier (CVE-2014-3201) is assigned:
Grace, whom should I contact in Chrome team to get a CVE identifier for this issue?

When Chrome 39 is released, I'll update this with the CVE.
Labels: -reward-topanel reward-unpaid reward-2000 CVE-2014-7905
Thanks for the report! This one qualified for a $2000 reward.
Comment 27 by, Nov 17 2014
Thanks a lot, you are so kind! if possible, please credit me as "WangTao(neobyte) of Baidu X-Team". 
Labels: -reward-unpaid reward-inprogress
Reward payment in progress.
Labels: -reward-inprogress reward-inprocess
Project Member Comment 30 by, Jan 19 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 32 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 33 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment