New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 620737 link

Starred by 1 user
Status: Fixed
Owner:
asanka@chromium.org
Closed: Jun 2016
Cc:
rsleevi@chromium.org
cbentzel@chromium.org
asanka@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Chrome does not distinguish between http and https proxies when saving passwords

Project Member Reported by asanka@chromium.org, Jun 16 2016 
VULNERABILITY DETAILS

In login_handler.cc, passwords meant for HTTP proxy authentication are associated with the authority "http://" + host-port-of-server when constructing a PasswordForm for saving passwords. This is done regardless of whether the proxy is using https or http.

Consequently, if a user has saved passwords for an https proxy, then a malicious operator could present the same host+port combination as an http proxy and get Chrome to autofill the credentials.

A mitigating factor is that both the https proxy and the fake http proxy both need to use the same HTTP authentication scheme.

(Forking off from  issue 613626 )

VERSION
Chrome Version: 49+
Operating System: Win, Mac, Linux, ChromeOS, Android

REPRODUCTION CASE

- Setup an https proxy that requires HTTP basic authentication.
- Use the proxy with Chrome and save the password when prompted.
- Setup a http proxy with the same host and port and which uses HTTP basic authentication.
- Attempting to use the http proxy results in an HTTP proxy auth dialog that's autofilled with the credentials for the https proxy.

Comment 1 by rsleevi@chromium.org, Jun 16 2016

Labels: Security_Severity-Medium Security_Impact-Stable M-53
Project Member

Comment 2 by bugdroid1@chromium.org, Jun 16 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98

commit 098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98
Author: asanka <asanka@chromium.org>
Date: Thu Jun 16 20:18:43 2016

Use correct origin when prompting for proxy authentication.

Since M49, Chrome has been prompting for proxy authentication
credentials using the target origin instead of the origin of the proxy
server. Even if the proxy origin was displayed correctly, a mischievous
network operator could still spoof the proxy server origin. To mitigate
these problems, this CL:

* Fixes the origin used in the proxy authentication login prompt to use
  the origin of the proxy server.

* Indicate if the proxy server connection is insecure.

* Always throw up an interstitial and clear the omnibox when showing a
  proxy auth prompt.

* Use the correct origin when saving proxy authentication credentials.

BUG= 613626 ,  620737 

Review-Url: https://codereview.chromium.org/2067933002
Cr-Commit-Position: refs/heads/master@{#400247}

[modify] https://crrev.com/098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98/chrome/browser/ui/login/login_handler.cc
[modify] https://crrev.com/098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98/chrome/browser/ui/login/login_handler.h
[modify] https://crrev.com/098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98/chrome/browser/ui/login/login_handler_unittest.cc
[modify] https://crrev.com/098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98/content/shell/browser/shell_login_dialog.cc
[modify] https://crrev.com/098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98/net/base/auth.cc
[modify] https://crrev.com/098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98/net/base/auth.h
[modify] https://crrev.com/098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98/net/http/http_auth_controller.cc
[modify] https://crrev.com/098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98/net/http/http_network_transaction_unittest.cc
[modify] https://crrev.com/098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98/net/url_request/url_request_ftp_job.cc

Comment 3 by asanka@chromium.org, Jun 16 2016

Status: Fixed (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Jun 17 2016

Labels: -M-53 Merge-Triage M-51 M-52
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 17 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 20 2016

Labels: merge-merged-2743
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4

commit 8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4
Author: Asanka Herath <asanka@chromium.org>
Date: Mon Jun 20 14:53:42 2016

[Merge M52] Use correct origin when prompting for proxy authentication.

Since M49, Chrome has been prompting for proxy authentication
credentials using the target origin instead of the origin of the proxy
server. Even if the proxy origin was displayed correctly, a mischievous
network operator could still spoof the proxy server origin. To mitigate
these problems, this CL:

* Fixes the origin used in the proxy authentication login prompt to use
  the origin of the proxy server.

* Indicate if the proxy server connection is insecure.

* Always throw up an interstitial and clear the omnibox when showing a
  proxy auth prompt.

* Use the correct origin when saving proxy authentication credentials.

BUG= 613626 ,  620737 

Review-Url: https://codereview.chromium.org/2067933002
Cr-Commit-Position: refs/heads/master@{#400247}
(cherry picked from commit 098c009df7a4ddc5c23d4d3c9dccf5eff1f24c98)

Review URL: https://codereview.chromium.org/2082513003 .

Cr-Commit-Position: refs/branch-heads/2743@{#397}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4/chrome/browser/ui/login/login_handler.cc
[modify] https://crrev.com/8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4/chrome/browser/ui/login/login_handler.h
[modify] https://crrev.com/8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4/chrome/browser/ui/login/login_handler_unittest.cc
[modify] https://crrev.com/8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4/content/shell/browser/shell_login_dialog.cc
[modify] https://crrev.com/8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4/net/base/auth.cc
[modify] https://crrev.com/8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4/net/base/auth.h
[modify] https://crrev.com/8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4/net/http/http_auth_controller.cc
[modify] https://crrev.com/8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4/net/http/http_network_transaction_unittest.cc
[modify] https://crrev.com/8c8b7cc66aa395a12b7a25f59d9cd4d1eb71f1a4/net/url_request/url_request_ftp_job.cc

Comment 7 by awhalley@chromium.org, Jul 8 2016

Labels: -Merge-Triage

Comment 8 by awhalley@chromium.org, Jul 19 2016

Labels: Release-0-M52
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 23 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 13 by vabr@chromium.org, Nov 29

Cc: -vabr@chromium.org

Sign in to add a comment