Security: PDF in iframes bypass the warning dialog on Android
Reported by
resea...@nightwatchcybersecurity.com,
May 29 2016
|
||||||||||||||
Issue descriptionVULNERABILITY DETAILS When browsing a page that contains a PDF file in an iframe, the PDF will automatically download and get open in the Google Drive app, if it is installed. The warning about "external program" will never appear. Additionally, this not only happens with .PDF files but any files served with the PDF MIME type. If there were to be a vulnerability in the Google Drive app, this would provide a drive by download method to deploy it. This is related to crbug.com/614685 but is a distinct bug with probably the same cause. The source of this problem is in: https://chromium.googlesource.com/chromium/src.git/+/master/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationDelegateImpl.java Specifically, the intent gets overriden for PDF files even in incognito mode. VERSION Chrome Version: 50.0.2661.89 Operating System: Android 6.0, patch level January 2016 REPRODUCTION CASE Examples: PDF - https://theowl.xyz/cr/pdf/test1.html APK - https://theowl.xyz/cr/pdf/test2.html DOC - https://theowl.xyz/cr/pdf/test3.html
,
May 29 2016
Possible patch attached
,
May 31 2016
Thanks for the report and the patch. +battre and tedchoc from bug 614685 +nparker for download bypass Nathan, there doesn't seem to be a security vulnerability here, but do you mind if I leave this to you to triage? Thanks.
,
May 31 2016
,
May 31 2016
asanka might know more about the intended behavior of .PDF downloads on Android. I suspect this is some leakage of desktop behavior. I think on mobile, .pdf _should_ be treated like every other download since there's no in-browser viewer.
,
May 31 2016
Yeah, the PDF handling is different on Android. +qinmin for comment.
,
May 31 2016
we are working on disabling passing pdf links to an external activity before it is downloaded. This is targeted for M53
,
Jun 2 2016
,
Jun 2 2016
,
Jun 3 2016
,
Jun 3 2016
,
Jun 8 2016
,
Jul 1 2016
,
Aug 10 2016
Pdf downloads should handled by Chrome, and then passing to other apps to open
,
Mar 9 2017
,
Mar 9 2017
|
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by resea...@nightwatchcybersecurity.com
, May 29 2016