Issue metadata
Sign in to add a comment
|
Security: ChromeVox on ChromeOS uses HTTP without SSL for some requests:
Reported by
resea...@nightwatchcybersecurity.com,
Jul 12 2016
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS ChromeVox on ChromeOS uses HTTP without SSL for some requests: We saw the following URLs: http://fonts.googleapis.com/css?family=Droid+Sans+Mono|Roboto:400,700,700italic http://fonts.gstatic.com/s/roboto/v15/t6Nd4cfPRhZP44Q5QAjcC44P5ICox8Kq3LLUNMylGO4.woff2 VERSION Chrome Version: 51.0.2704.106 (stable) Operating System: ChromeOS 8172.62.0 (stable) REPRODUCTION CASE: 1. Setup a proxy with WiFi. 2. Switch ChromeOS device to use proxy. 3. Restart the device and on the login screen enable ChromeVox. 4. Observe calls to HTTP without SSL.
,
Jul 13 2016
,
Jul 13 2016
,
Jul 13 2016
,
Jul 13 2016
Are these URLs being embedded on chrome-extension:// pages? If so, bug 398790 might be relevant.
,
Dec 2 2016
,
Jan 26 2017
,
Mar 9 2017
,
Mar 10 2017
,
Apr 20 2017
,
Jun 6 2017
,
Jul 26 2017
,
Sep 6 2017
,
Sep 18 2017
,
Sep 18 2017
Does this get a CVE and/or qualify for a bounty?
,
Sep 18 2017
+awhalley for comment 15.
,
Sep 18 2017
Looks like this wasn't marked as fixed when the release it was fixed in was released :-) Marking with M-62 to get that picked up for release note and CVE allocation then (though shout if you need it sooner and I can do it manually) We don't usually reward for low severity bugs, but we'll take a look in a future VRP panel.
,
Sep 19 2017
,
Oct 16 2017
,
Oct 19 2017
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Oct 20 2017
The VRP panel decided to award $500 for this report. Also, how would you like to be credited on the release notes when
,
Oct 20 2017
,
Oct 20 2017
Thank you! Please credit "Nightwatch Cybersecurity Research" in the notes. Is there a CVE being assigned?
,
Oct 26 2017
Pardon the delay, CVE assigned.
,
Oct 26 2017
Thank you! At what point is it ok to disclose publicly? I checked the list of changes for Chrome 62 and don't see this one there.
,
Oct 28 2017
This bug will be automatically opened 14 weeks after the fix date. This was indeed released with Chrome OS 62, which went stable yesterday. Expect the release notes to be updated with this and a few other security bugs in about a week. Please feel free to disclose this publically after 7th November, so folks have some time to update their systems to 62. Thanks again for the report!
,
Nov 6 2017
,
Dec 26 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 1 2018
Our advisory published here, thank you! https://wwws.nightwatchcybersecurity.com/2018/01/01/chromeos-doesnt-always-use-ssl-during-startup-cve-2017-15397/
,
Apr 25 2018
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by rickyz@chromium.org
, Jul 13 2016Owner: dtseng@chromium.org