New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 615729 link

Starred by 1 user
Status: Fixed
Owner:
qin...@chromium.org
Closed: Aug 2016
Cc:
ya...@nightwatchcybersecurity.com
qin...@chromium.org
tedc...@chromium.org
battre@chromium.org
asanka@chromium.org
nparker@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug



Sign in to add a comment

Security: PDF in iframes bypass the warning dialog on Android

Reported by resea...@nightwatchcybersecurity.com, May 29 2016 
VULNERABILITY DETAILS
When browsing a page that contains a PDF file in an iframe, the PDF will automatically download and get open in the Google Drive app, if it is installed. The warning about "external program" will never appear.

Additionally, this not only happens with .PDF files but any files served with the PDF MIME type. If there were to be a vulnerability in the Google Drive app, this would provide a drive by download method to deploy it.

This is related to  crbug.com/614685  but is a distinct bug with probably the same cause.

The source of this problem is in:
https://chromium.googlesource.com/chromium/src.git/+/master/chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationDelegateImpl.java

Specifically, the intent gets overriden for PDF files even in incognito mode.

VERSION
Chrome Version: 50.0.2661.89
Operating System: Android 6.0, patch level January 2016

REPRODUCTION CASE
Examples:
PDF - https://theowl.xyz/cr/pdf/test1.html
APK - https://theowl.xyz/cr/pdf/test2.html
DOC - https://theowl.xyz/cr/pdf/test3.html

Comment 1 by resea...@nightwatchcybersecurity.com, May 29 2016 

To reproduce create an HTML file with an iframe that has the "src" pointing to a PDF. Another POC is pointing to any type of file but use .htaccess to override the MIME type is set the MIME type as "application/pdf".

Comment 2 by resea...@nightwatchcybersecurity.com, May 29 2016 

Possible patch attached
pdf.patch
1.3 KB Download

Comment 3 by mea...@chromium.org, May 31 2016

Cc: tedc...@chromium.org battre@chromium.org
Components: UI>Browser>Incognito Privacy
Labels: OS-Android
Thanks for the report and the patch.

+battre and tedchoc from  bug 614685 
+nparker for download bypass

Nathan, there doesn't seem to be a security vulnerability here, but do you mind if I leave this to you to triage? Thanks.

Comment 4 by mea...@chromium.org, May 31 2016

Cc: nparker@chromium.org

Comment 5 by nparker@chromium.org, May 31 2016

Cc: asanka@chromium.org
asanka might know more about the intended behavior of .PDF downloads on Android.

I suspect this is some leakage of desktop behavior. I think on mobile, .pdf _should_ be treated like every other download since there's no in-browser viewer.

Comment 6 by asanka@chromium.org, May 31 2016

Cc: qin...@chromium.org
Yeah, the PDF handling is different on Android.

+qinmin for comment.

Comment 7 by qin...@chromium.org, May 31 2016 

we are working on disabling passing pdf links to an external activity before it is downloaded. This is targeted for M53
Project Member

Comment 8 by ClusterFuzz, Jun 2 2016

Labels: Untriaged-1

Comment 9 by f...@chromium.org, Jun 2 2016

Components: UI>Browser>SafeBrowsing
Labels: -Type-Bug-Security -Untriaged-1 -Restrict-View-SecurityTeam Restrict-View-Google Type-Bug
Status: Available (was: Unconfirmed)

Comment 10 by vakh@chromium.org, Jun 3 2016

Labels: SafeBrowsing-Triaged
Owner: qin...@chromium.org

Comment 11 by vakh@chromium.org, Jun 3 2016

Status: Assigned (was: Available)

Comment 12 by vakh@chromium.org, Jun 8 2016

Labels: Hotlist-Fixit-Triaged

Comment 13 by nparker@chromium.org, Jul 1 2016

Labels: Pri-2

Comment 14 by qin...@chromium.org, Aug 10 2016

Status: Fixed (was: Assigned)
Pdf downloads should handled by Chrome, and then passing to other apps to open

Comment 15 by infe...@chromium.org, Mar 9 2017

Labels: -Restrict-View-Google

Comment 16 by infe...@chromium.org, Mar 9 2017

Cc: ya...@nightwatchcybersecurity.com

Sign in to add a comment