New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 609552 link

Starred by 1 user
Status: Duplicate
Merged: issue 456
Owner: ----
Closed: May 2016
Cc:
a...@chromium.org
nparker@chromium.org
f...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: block Mac-OSX users to close the chrome browser by any option

Reported by jree...@gmail.com, May 5 2016 

VULNERABILITY DETAILS

This bug can block the Mac-OSX users to close the chrome browser by any option,after executing the bug You can try all the possible ways to close the browser except closing from terminal,because normal user dont know that kind of usage.

I attached the POC video with this report,Please see the 30 sec video for clear understanding.

Impact:

1. consider the scenario,If user clicked any malicious links accidentally and if he tries to close the browser,this bug will block him to close the browser.

2. Privacy matters, Consider the scenario that user is accessing any private/sensitive informaton,if he wants to minimize the browser,this bug will block him to minimize,atlast his activity will get exposed.

VERSION
Chrome Version: Version 50.0.2661.94 (64-bit)

Operating System: Mac OS X El Capitan 10.11.4 (15E65)

REPRODUCTION CASE

1. Simply create a script with alert popup.
2. Open that in Mac OSX chrome browser.
3. At any means you cannot close the browser normally.
4. This bug will not affect windows OS.

POC attached:

video : chrome_block.mp4
script: testcase.html


Thanks,
Richard
chrome_block.mp4
1.7 MB Download
testcase.html
221 bytes View Download

Comment 1 by f...@chromium.org, May 6 2016

Cc: nparker@chromium.org f...@chromium.org
Labels: Security_Severity-Low Security_Impact-Stable OS-Mac
Status: Untriaged (was: Unconfirmed)
Thanks for the report and repro case.

I'm marking this bug as low-severity, because it doesn't allow an attacker to exfiltrate any information. However, it seems extremely annoying and like a spam/abuse vector.

Nathan, do you know if we have a label for abuse opportunities like this that aren't actively Safe Browsing or security bugs?

Comment 2 by jree...@gmail.com, May 6 2016 

Thanks for the review ,this bug will extremely affects the non tech Mac users,it's a low severity one but it will lead the user to change to other browsers.any reward for this?

Richard
Project Member

Comment 3 by sheriffbot@chromium.org, May 6 2016

Labels: Pri-2

Comment 4 by nparker@chromium.org, May 6 2016

Cc: a...@chromium.org
No we don't have an abuse or Dos label -- maybe we should, but regardless this is not eligible for reward.

I agree this makes spam/phishing more effective.  It would have to be combined with a technique for reopening the alert without triggering the "prevent this page from creating additional dialogs."

avi -- Will this be addressed by your plans to make alert()'s less powerful?

Comment 5 by a...@chromium.org, May 6 2016 

Yes, this is exactly the scenario that we're addressing with my plans.

Comment 6 by f...@chromium.org, May 7 2016 

avi, is there a bug ID for your plan that I can dupe this into?

Comment 7 by a...@chromium.org, May 7 2016

Mergedinto: 456
Status: Duplicate (was: Untriaged)
I just took a second look at this, and this is not a real issue.

This creates a dialog, and insists that the user be able to close Chrome without dismissing the dialog. It happens to be possible on Windows from the taskbar, but really? In any real scenario, the user will... dismiss the dialog.

At best, this is "app modal dialogs are bad", so I'm duping it as such.

Comment 8 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic
Project Member

Comment 9 by sheriffbot@chromium.org, Jun 1 2017

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment