New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 481015 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: XSS in the bookmark button

Project Member Reported by f...@chromium.org, Apr 24 2015

Issue description

[Reported via e-mail from FB eng]

VULNERABILITY DETAILS
1. Go to http://sandboxing.me/poc/0ab1dceb8c7f70ce936cdd826f9145ba4874dcb273fddf70a2e4e826cbd6eeda505a128eedf4f8c1ef9d69ad6bfe8e2f96dc5a68b676082f243e35cdc74dd236.html
2. Open dev tools
3. Bookmark the page
4. Notice that JS executes a console.log statement

VERSION
Chrome Version: 42+
Operating System: Tested on Mac, guess it probably affects other OSes too

REPRODUCTION CASE
See attached. It boils down to the meta property:

<meta property="og:description" content="&quot;&gt;&lt;img src=x onerror=console.log(&quot;hello&quot;)&gt;" />

 
poc.html
215 bytes View Download

Comment 1 by f...@chromium.org, Apr 24 2015

This seems like a bug in that I don't think the META tag is supposed to be invoked when you add the bookmark.

I'm not sure how to actually turn it into an attack because it seems to execute in the context of the page that defined the META tag to begin with.

Comment 2 by n...@fb.com, Apr 24 2015

This was originally surfaced to me via Facebook's bug bounty program. The problem is that the og:description for a page can sometimes reflect user-controlled content.

The attack scenario would be similar to self-XSS, where someone browses to a page and then is asked to bookmark it, except it might be less obvious of an attack.

Comment 3 by f...@chromium.org, Apr 24 2015

Owner: dbeam@chromium.org
Status: Assigned
dbeam@, are you working on bookmarks? I see a bunch of fixed bookmarks bugs in your history. :) any thoughts on this one?

Comment 4 by n...@fb.com, Apr 24 2015

PoC that runs an external script, hence arbitrary, unlimited JS (unclear how feasible it would be to craft this against an actual site): http://sandboxing.me/poc/7b12c469190291944d684866b1561d297c2693e3d4251a181657a533c5fed60a65a5044a4bfcaa8cf5354cd6a6c5cd447587a8e0e83352490da8728b6948c7a8.html

Maybe a red herring, but <img> appears to be the only tag I can get working here.

Comment 5 by dbeam@chromium.org, Apr 24 2015

Cc: mcolbert@chromium.org danduong@chromium.org dbeam@chromium.org harryyu@chromium.org mgalvez@chromium.org
Labels: Cr-UI-Browser-Bookmarks-Enhanced
Owner: ----
Status: Available
this is a stars issue.  you see my name for the old chrome://bookmarks.  that's not to say I can't help, but I don't have as much experience with this code as some other folks (cc'ing).
Owner: rfevang@chromium.org
 Issue 480954  has been merged into this issue.
Cc: k0r3p...@gmail.com
Labels: reward-topanel
VRP note: If it ends up mattering,  issue 480954  was reported before this was opened. I duped it into this bug since there was already some activity here.

Comment 9 by k0r3p...@gmail.com, Apr 24 2015

Anything I can help?
This code actually lives outside of Chromium, so b/20555599 for tracking internal code changes.
To be clear, this is only XSS-like.  While bad and needs to be immediately fixed (this is a P0 internally), this would only execute code on the site providing the injection.  This means you can execute JS on the bad site with only the same credentials currently available on that site (i.e. there is no way to access any other site's data).

Comment 12 by n...@fb.com, Apr 24 2015

Yes, but if og:description is user-controlled that attack can be launched against others as well. This is closer to self-XSS than UXSS. :-)
Touche! :-)
Labels: Security_Severity-Low
Status: Fixed
Extension with fix is being pushed now, users should get the next version when Chrome updates the component extension (version 2.2015.427.xxxxx).
Project Member

Comment 16 by ClusterFuzz, Apr 28 2015

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Merge-NA
Labels: Release-0-M43
Cc: timwillis@chromium.org
Labels: -reward-topanel reward-unpaid reward-500
Hey K0r3Ph1L - we decided to pay $500 for this report!

Someone from our payments team will be in contact within two weeks to collect your details. 

We'll credit you in our release notes as "K0r3Ph1L" - please update if you'd like to use another name. I'll also assign a CVE for this bug and provide it shortly.

@neal - do you want me to list you/FB as a co-credit? If so, let me know what name you want to use. 

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************


Comment 20 by n...@fb.com, May 19 2015

> @neal - do you want me to list you/FB as a co-credit? If so, let me know what name you want to use. 

Nope! This was surfaced to us via FB's bug bounty program, not discovered by us, so no credit is required/deserved. ;-)
Thanks for the quick response!

Comment 22 by k0r3p...@gmail.com, May 19 2015

> Hey K0r3Ph1L - we decided to pay $500 for this report!
Someone from our payments team will be in contact within two weeks to collect your details. 

We'll credit you in our release notes as "K0r3Ph1L" - please update if you'd like to use another name. I'll also assign a CVE for this bug and provide it shortly.
 -


@tim
Thanks for the reward! I will be waiting for that, extend my thanks also to your devs/chromium project who acknowledged this bug. I'm fine with the "K0r3ph1l". I will be waiting for more updates to come with the CVE. 

btw, to 

@neal I'm the one who reported it in FB's bbp, I personally thank you for pointing out where the problem is. I'm also reading your blog and an avid follower of your blog that publishes web security issues. once again thank you so much. :))
Labels: CVE-2015-1264
CVE is CVE-2015-1264 and release notes are here: http://googlechromereleases.blogspot.com/2015/05/stable-channel-update_19.html

Someone from our finance team will be in contact within two weeks to collect payment details. Please email me at timwillis@ if that doesn't happen so that I can chase.

Congrats again!

Comment 24 by k0r3p...@gmail.com, May 28 2015

CVE is CVE-2015-1264 and release notes are here: http://googlechromereleases.blogspot.com/2015/05/stable-channel-update_19.html

Someone from our finance team will be in contact within two weeks to collect payment details. Please email me at timwillis@ if that doesn't happen so that I can chase.

Congrats again!

- 
@tim
Thanks for the everything! Appreciated that. It's been almost 2weeks, but I'm still waiting for someone who will contact me. no worries!

Can I share it to public about this bug? possibly publishing it to infosec news website.

If you don't mind waiting a few weeks until a larger percentage of users make it to M43, that would be preferred (and is the default). 

That said, if there's a presentation/something else where there's time pressure to make this issue public early, let me know.

Comment 26 by k0r3p...@gmail.com, May 28 2015

@tim
Everything is fine for now. I'll just wait an update. 
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Processing via our e-payment system can take up to two weeks, but the reward should be on its way to you. Thanks again for your help!

(Note: sorry for the delay here - it turns out in the new payment system, these payments were waiting for a second approval from me).
You're welcome, No problem at all.
Project Member

Comment 30 by ClusterFuzz, Aug 3 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 31 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 32 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted
Project Member

Comment 35 by sheriffbot@chromium.org, Jul 28

Labels: Pri-2

Sign in to add a comment