Issue metadata
Sign in to add a comment
|
Security: Any site can get size of GET response from any another site
Reported by
watashiw...@gmail.com,
Jun 27 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Function navigator.webkitTemporaryStorage.queryUsageAndQuota is insecure. It allows any site to get size of web pages loaded using GET request from any another site. A lot of sites use GET request with sensitive data returned using it. It can tell an attacker if some data exists or not, or attacker can bruteforce some sensitive data. VERSION Chrome Version: 51.0.2704.103 + stable Operating System: Any REPRODUCTION CASE I made a small demo which do exactly what I told before. You need to run on standalone server to make it work. After that insert any url to input and click button. And you can get size of page in bytes.
,
Jun 27 2016
Yes, this is currently tracked at issue 617963 (see also issue 596927 and issue 548556 ).
,
Jun 27 2016
This bug was reported privately to our (Mail.Ru) bug bounty on hackerone by https://hackerone.com/cyb1 And he asked to not disclose this report before his talk at Blackhat USA 2016.
,
Feb 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Jun 27 2016Labels: Security_Severity-Medium Security_Impact-Stable
Owner: falken@chromium.org
Status: Assigned (was: Unconfirmed)