New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Sep 2017
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security

Sign in to add a comment

Issue 627300: Security: ChromeVox on ChromeOS uses HTTP without SSL for some requests:

Reported by, Jul 12 2016

Issue description

ChromeVox on ChromeOS uses HTTP without SSL for some requests:

We saw the following URLs:|Roboto:400,700,700italic

Chrome Version: 51.0.2704.106 (stable)
Operating System: ChromeOS 8172.62.0 (stable)

1. Setup a proxy with WiFi.
2. Switch ChromeOS device to use proxy.
3. Restart the device and on the login screen enable ChromeVox.
4. Observe calls to HTTP without SSL.

Comment 1 by, Jul 13 2016

Labels: M-54 Arch-All Security_Severity-Low OS-Chrome
Mind taking a look at this one, dtseng@?

Comment 2 by, Jul 13 2016

Project Member
Labels: Pri-2

Comment 3 by, Jul 13 2016

Project Member
Status: Assigned (was: Unconfirmed)

Comment 4 by, Jul 13 2016

Components: UI>Accessibility
Labels: Security_Impact-Stable

Comment 5 by, Jul 13 2016

Are these URLs being embedded on chrome-extension:// pages? If so, bug 398790 might be relevant.

Comment 6 by, Dec 2 2016

Project Member
Labels: -M-54 M-55

Comment 7 by, Jan 26 2017

Project Member
Labels: -M-55 M-56

Comment 8 by, Mar 9 2017


Comment 9 by, Mar 10 2017

Project Member
Labels: -M-56 M-57

Comment 10 by, Apr 20 2017

Project Member
Labels: -M-57 M-58

Comment 11 by, Jun 6 2017

Project Member
Labels: -M-58 M-59

Comment 12 by, Jul 26 2017

Project Member
Labels: -M-59 M-60

Comment 13 by, Sep 6 2017

Project Member
Labels: -M-60 M-61

Comment 14 by, Sep 18 2017

Status: fixed (was: Assigned)

Comment 15 by, Sep 18 2017

Does this get a CVE and/or qualify for a bounty?

Comment 16 by, Sep 18 2017

+awhalley for comment 15.

Comment 17 by, Sep 18 2017

Labels: -M-61 M-62 M-59
Looks like this wasn't marked as fixed when the release it was fixed in was released :-)  Marking with M-62 to get that picked up for release note and CVE allocation then (though shout if you need it sooner and I can do it manually)

We don't usually reward for low severity bugs, but we'll take a look in a future VRP panel.

Comment 18 by, Sep 19 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 19 by, Oct 16 2017

Labels: reward-topanel

Comment 20 by, Oct 19 2017

Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.

Comment 21 by, Oct 20 2017

The VRP panel decided to award $500 for this report.  Also, how would you like to be credited on the release notes when

Comment 22 by, Oct 20 2017

Labels: -reward-unpaid reward-inprocess

Comment 23 by, Oct 20 2017

Thank you! Please credit "Nightwatch Cybersecurity Research" in the notes.

Is there a CVE being assigned?

Comment 24 by, Oct 26 2017

Labels: CVE-2017-15397
Pardon the delay, CVE assigned.

Comment 25 by, Oct 26 2017

Thank you! At what point is it ok to disclose publicly? I checked the list of changes for Chrome 62 and don't see this one there.

Comment 26 by, Oct 28 2017

This bug will be automatically opened 14 weeks after the fix date. This was indeed released with Chrome OS 62, which went stable yesterday.  Expect the release notes to be updated with this and a few other security bugs in about a week.

Please feel free to disclose this publically after 7th November, so folks have some time to update their systems to 62.

Thanks again for the report!

Comment 27 by, Nov 6 2017

Labels: Release-0-M62

Comment 28 by, Dec 26 2017

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 30 by, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment