Issue metadata
Sign in to add a comment
|
Chrome for Android - Modal dialog being executed after window.open is called allows for URL Spoofing
Reported by
luan.her...@hotmail.com,
Apr 23 2016
|
|||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS This vulnerability makes it possible to display an arbitrary modal dialog over a window with a spoofed URL by calling a modal dialog after opening a new window. Thus making the victim believe that the modal dialog is from the website he was trying to access, while in reality, it is being controlled by the attacker. VERSION I tested on: Chrome 49.0.2623.105 / Android 5.1.1 Chrome 49.0.2623.105 / Android 4.4.2 REPRODUCTION CASE 1. Download index.html 2. Open the file and click on the link. 3. A prompt should appear asking for you credentials under the https://www.google.com URL.
,
Apr 26 2016
,
Apr 26 2016
I can confirm the bug, although it doesn't always repro.
,
Apr 26 2016
,
May 24 2016
Avi: Does your plan to fix alert include suppressing dialogs coming from background tabs?
,
May 24 2016
My plan doesn't currently involve Androids. It is possible to bring them into it later, but right now it's desktop-only.
,
May 25 2016
Okay, in that case we'll need to bring alerting tabs to foreground on Androids.
,
Nov 30 2016
,
Jan 4 2017
,
Jan 4 2017
,
Jan 4 2017
Avi, what do you think is the right approach here? Should we suppress the dialog if it's in the background, or should we bring it to the foreground? I believe you had plans to do the former?
,
Jan 4 2017
Ignore comment #11, you already answered it in comment #6 which means I fail at reading :)
,
Jan 4 2017
NP. Re comment 11, either is fine. Either suppress the dialog, or bring the page that spawned it forward. The choice is a design decision (which I'm slowly working on changing on the desktop) but if you don't keep the showing of dialogs in sync with the showing of pages that show them, you essentially get this URL spoof.
,
Jan 4 2017
Thanks. It seems like suppressing background dialogs is the better solution (both for desktop parity and user experience) but might need an intent-to-deprecate, do you agree? I'm curious how much of a battle that will be versus simply bringing the tab into focus and fixing the immediate issue.
,
Jan 4 2017
I have that on my list of things to eventually do, but alert() usage is high, and its use to pull webpages to the front is high. I'm collecting UMA stats to make the argument, but I suspect if you file the intent now it will not go well. I would highly suggest going the other route :)
,
Jan 4 2017
Sounds good, I'll leave fighting the good fight to you then :) I'll simply bring the tab back to focus.
,
Jan 5 2017
luan.herrera, xisigr: Are you able to consistently reproduce this? The POCs don't work for me on a tip of tree build -- the tab in the background is already brought forward when it shows a dialog.
,
Jan 5 2017
meacer:My POCs work well ,https://bugs.chromium.org/p/chromium/issues/detail?id=677728
,
Jan 5 2017
Thanks, I tried on a couple of different devices and it looks like it reproduces when the tab strip is not visible (repros on phones but not tablets).
,
Mar 2 2017
Similar to bug 549724 , this also seems to be fixed, possibly by avi's change to suppress dialogs from swapped out frames ( bug 634108 ). I'm unable to reproduce it, the alert gets cancelled when the google.com tab opens. luan.herrera, xisigr: Are you still able to repro?
,
Mar 2 2017
meacer:Which POCs do you run? These two bugs( bug 549724 , bug 634108 )I can't see. I still can reproduce in bug 677728 's POCs. (Android chrome 56.0.2924.87)
,
Jun 27 2017
meacer@, any update on this bug? - your friendly secondary security sheriff.
,
Nov 10 2017
,
Jan 6 2018
I was giving a look at this again and I can reproduce https://bugs.chromium.org/p/chromium/issues/attachmentText?aid=232261 (63.0.3239.111 / Android 6.0.1).
,
Feb 14 2018
I think I'm actually not the right owner since I don't know how modal dialogs are triggered on Android. tedchoc: Would you be able to find an appropriate owner? Thanks.
,
Feb 15 2018
+huayinz@ is making tab modal dialogs work on Android, so sending their way We already attempt to bring tabs to the foreground when a dialog is shown, so I suspect this is a race condition TabWebContentsDelegateAndroid#activateContents https://cs.chromium.org/chromium/src/chrome/android/java/src/org/chromium/chrome/browser/tab/TabWebContentsDelegateAndroid.java?q=bringActivityToForeground&sq=package:chromium&dr=CSs&l=349 Maybe we need to prevent tabs being switched while a dialog is present so we could essentially lock it to this tab (only in the case of modal dailogs)? I wonder if we turn on modal JS dialogs right now, would this problem go away and thus we should just focus on getting that launched?
,
Feb 15 2018
On desktop we started hiding dialogs from background tabs until the user brings the tab to the foreground because modal dialogs were being abused -- Avi is the expert on this. It would be nice to have parity and do something similar on mobile.
,
Feb 15 2018
Yes, this is the removal of activation of alert(), https://www.chromestatus.com/feature/6477774290157568 and prompt(), https://www.chromestatus.com/feature/5637107137642496. Gonna do confirm soon. We should do something similar with Android.
,
Feb 18 2018
,
Mar 30 2018
If we turn on tab modal JS dialog, this issue would go away since it brings in Avi's work on removal of activation. So yes, we should just focus on getting that launched.
,
Sep 26
JS tab modal dialog is launched (see Issue 799334), so this issue won't happen anymore.
,
Sep 27
,
Oct 1
,
Oct 4
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Oct 4
Nice one luan.herrera@! The VRP panel decided to award $2,000 for this report.
,
Oct 4
,
Oct 5
,
Dec 3
,
Dec 3
,
Dec 11
,
Dec 11
,
Dec 14
,
Dec 14
This bug requires manual review: M72 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: govind@(Android), kariahda@(iOS), djmm@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 14
+ awhalley@ (Security TPM) for M72 merge review. I don't see any CL here.
,
Dec 14
No merge required
,
Jan 3
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||
Comment 1 by vakh@chromium.org
, Apr 25 2016Components: UI>Browser>Navigation Security>UX
Labels: Security_Severity-Low Security_Impact-Stable OS-Android
Owner: mea...@chromium.org