Issue metadata
Sign in to add a comment
|
Security: Able to bypass permission prompt on keypress |
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS It is possible for a web page to automatically request and accept webcam access with a single keystroke of Space Bar (without the permission prompt being visible). The webcam recording UI (red dot on tab) is shown as normal. I believe this is done by simply requesting webcam access in a "keydown" event listener. The keypress that activates the request also automatically presses the Accept button (which is focused by default). I haven't looked at the details. Making Deny the default would fix the security problem, but still be a UI issue as it would mean a legitimate attempt to start recording when you tap space bar would fail mysteriously. Originally reported on Reddit by user eavert: https://www.reddit.com/r/chrome/comments/4nrgps/websites_might_receive_unauthorized_access_to/ therefore this is publicly disclosed and I believe not eligible for bug bounty. I have been able to reproduce it. VERSION Chrome Version: 51.0.2704.84 stable Operating System: Windows 7 (though may not be Windows-specific) REPRODUCTION CASE Original reporter posted this jsfiddle: https://jsfiddle.net/v8269bcm I have copied it into .html and .js files (attached).
,
Jun 13 2016
Woah. This is serious. Let's triage this as a security vulnerability. Classifying this as Medium because it requires user interaction (keystroke). I know that's extremely easy to get, so I could see an argument for it being High. Either way, let's get this fixed immediately and merged if possible.
,
Jun 13 2016
+juberti as FYI. It's worth noting that this information is public since it was posted on Reddit.
,
Jun 13 2016
FYI, there is a more general and older bug for mitigations against UX attacks like this: bug 63773 It would be nice to fix the overarching problem on other permission/confirmation dialogs too.
,
Jun 13 2016
Potentially also of interest: This discussion on GitHub for the Permissions API: https://github.com/w3c/permissions/issues/77#issuecomment-225066518
,
Jun 13 2016
To clarify my comment #4, the root cause of the problem is that we don't have heuristics to distinguish if a confirmation action on a security UI is a genuine one initiated by the user or accidental. We also don't have anything that prevents accidental clicks / keypresses and ensures the user has seen the UI for a certain amount of time.
,
Jun 13 2016
,
Jun 14 2016
+tommi as FYI How do you want to proceed here?
,
Jun 14 2016
raymes@ suggested doing a quick fix (maybe by Ben, or me?) of switching the button that is the default target, so that this would only cause people to hit 'Deny'. That would resolve the immediate security issue, and then we can investigate the underlying issue more generally. juburti: I don't think any immediate action is needed from your team, aside from being aware that it may come up in public discussions before it is fixed because this issue was posted publicly on Reddit.
,
Jun 14 2016
FYI: The post has been deleted from Reddit (not sure when).
,
Jun 14 2016
I think benwells is traveling. I guess the change to set the default focus target might go in: chrome/browser/ui/views/website_settings/permissions_bubble_view.cc ? felt@ do you know how to do this or do we need someone with more views experience (mgiuca may know or we can loop in others).
,
Jun 14 2016
I have an idea of how to fix it, I'll take a stab at it.
,
Jun 14 2016
Thanks!
,
Jun 14 2016
Thanks Adrienne. I can't repro this on Mac. Can anyone else?
,
Jun 14 2016
I can't repro it on Linux either (the dialog pops up as you would expect). Can repro on Chrome OS. Changing the OS flags to reflect that.
,
Jun 14 2016
I also can't repro on Mac. nparker mentioned he couldn't repro on linux either.
,
Jun 28 2016
felt: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 28 2016
Is it an option to not allow dismissing the dialog via a keyboard shortcut? (I'm guessing accessibility would be a concern, but this might be an easy thing to do while a proper fix is being implemented)
,
Jul 13 2016
felt: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 19 2016
felt@: any update on this?
,
Jul 21 2016
,
Aug 3 2016
Ping :)
,
Aug 3 2016
felt- I'm happy to look at this. Let me know if you don't want me to, otherwise I'll try and get a fix up this afternoon.
,
Aug 3 2016
,
Aug 3 2016
Note: I can't repro this on Windows 8, in dev or in ToT. It could just be timing dependent. Regardless I think it is a problem and the fix is very simple. I think a better fix than switching the default button to Deny is to just remove the default button entirely.
,
Aug 4 2016
Thanks for picking this up Ben!
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/914c24f03eafaf4043867923166e6dc78f41437f commit 914c24f03eafaf4043867923166e6dc78f41437f Author: benwells <benwells@chromium.org> Date: Fri Aug 05 06:32:40 2016 Remove default action in permission bubbles This prevents accidental acceptance of permissions, and also works around websites timing permission requests in a way to always get the permission. BUG= 619429 Review-Url: https://codereview.chromium.org/2206903002 Cr-Commit-Position: refs/heads/master@{#410004} [modify] https://crrev.com/914c24f03eafaf4043867923166e6dc78f41437f/chrome/browser/ui/views/website_settings/permission_prompt_impl.cc
,
Aug 5 2016
The default action has been removed. The dialog is still accessible as you can use tab to move the focus. I think this is enough. If someone thinks we should do more, please reopen.
,
Aug 5 2016
,
Aug 25 2016
Issue 640624 has been merged into this issue.
,
Aug 25 2016
,
Sep 13 2016
,
Sep 29 2016
,
Oct 10 2016
,
Nov 11 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 9 2016
Security>UX component is deprecated in favor of the Team-Security-UX label |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 13 2016