New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 606094 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2016
Cc:
lgar...@chromium.org
raymes@chromium.org
palmer@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: cross domain iframe leads to webcam spying

Reported by inti.de....@gmail.com, Apr 23 2016 
VULNERABILITY DETAILS
When GetUserMedia() is called over https, the permission granted will persist even when the granted page is accessed in another iframe. I already reported something similar in #536144, but now the initial page granted permission can be completely legit.

Last comment: 

> If the site is leaking access to the webcam, that's technically a problem for the site, but we can consider adding mitigations if there is a common problem that allows this to happen without much legitimate use.

I think this applies now.

VERSION
Chrome Version: 49.0.2623.112 m stable
Operating System: Windows 10

REPRODUCTION CASE

1) Go to Google translate and authorize any webcam app to use your webcam, e.g: 

https://translate.google.com/translate?sl=en&tl=nl&js=y&prev=_t&hl=nl&ie=UTF-8&u=https%3A%2F%2Fidevelop.ro%2Fascii-camera%2F&edit-text=

2) Close the page

3) Go to my PoC at https://belgbook.be/banaan/, wait a couple of seconds and a picture will be secretly taken and displayed


===

Behind the scenes, it loads a page translated at translate.googleusercontent.com. This page has access to the webcam and snaps a pic. This pic is then passed to anther page back at the attackers website (belgbook.be), which will display it.

===

Other browsers don't allow this to happen and ask for permission every time.

Comment 1 by vakh@chromium.org, Apr 23 2016

Cc: lgar...@chromium.org raymes@chromium.org
Status: WontFix (was: Unconfirmed)
I tried reproducing this with Chrome 52 (Canary) as well as Chrome 49, both on Windows but could not.
The following errors appeared in the console instead:
- Refused to display 'https://translate.google.com/translate?anno=2&depth=1&hl=nl&rurl=translate.google.com&sl=en&tl=nl&u=https://belgbook.be/banaan/capture.html' in a frame because it set 'X-Frame-Options' to 'DENY'.
(index):77
- Uncaught TypeError: Cannot read property 'getContext' of nullonLoad @ (index):77

Retaining the Security label for now.

inti.de.ceukelaire@gmail.com: Can you please verify that the steps you posted are accurate?

Comment 2 Deleted

Comment 3 Deleted

Comment 4 Deleted

Comment 5 by inti.de....@gmail.com, Apr 25 2016 

Seems like Google Translate's usg parameter was preventing this for working on other computers.

I made another PoC that I tested on another computer as well. The cool thing about this PoC is that, once correctly set up, the user won't even notice he's being watched, except if there's a led indicator next to the webcam, then it'll flash for about a second.

New PoC:

https://belgbook.be/banaan/

Note that this will only work if you have followed step 1) of the initial reproduction case.

Comment 6 by raymes@chromium.org, Apr 26 2016 

Thanks for this example. This is nasty behavior. We're currently working on changing the permissions model with respect to iframes which would prevent this kinds of attack. Until that time, I think this particular attach is too specific to warrant a quick-fix.

Comment 7 by raymes@chromium.org, Apr 26 2016

Cc: palmer@chromium.org
Project Member

Comment 8 by sheriffbot@chromium.org, Jul 30 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment