Issue metadata
Sign in to add a comment
|
Security: Accessing user's webcam and microphone through ChromeVox
Reported by
inti.de....@gmail.com,
Jul 14 2016
|
||||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Please provide a brief explanation of the security issue. VERSION Chrome Version: Chrome 51 Operating System: All REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. Hey, The official ChromeVox (80k users) Google Chrome extension, a screen reader for the visually impaired, does not cover Chrome's allow-access popups. This imposes a security risk for visually impaired people, because the default tab focus is set on "Allow". If we set up a page that shows: "Please press enter to continue", it's all a visually impaired user will hear. Sounds legit - but in reality he's giving away access to his webcam and microphone. Users with a visual handicap probably won't see the other warning signs as fast (such as the webcam activation LED), which makes this particular group even more vulnerable to this type of attack. Reproduction steps 1. Install ChromeVox here http://www.chromevox.com/ 2. Navigate to https://inti.io/poc/blind​ and close your eyes 3. Follow the instructions read by ChromeVox (Please press enter) 4. Open your eyes 5. Your webcam image should appear Fix I believe you can either fix the extension to properly read the allow-access popups upon appearing. Setting the default tab to "Block" would also help.
,
Jul 15 2016
I tested this on Windows 10. Defaulted here.
,
Jul 18 2016
dtseng@, could you take a look at this? thanks
,
Jul 19 2016
,
Jul 19 2016
,
Jul 29 2016
dtseng: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 29 2016
Non-CHrome OS: ChromeVox is *not* a system screen reader. See Jaws for Windows, NVDA, VoiceOver, and TalkBack. Windows: the infobar should automatically read when they are focused. Mac: a user would use the screen reader's review keys to read the non-focusable content. iOS: a user would use the screen reader's review keys to read the non-focusable content. Android: a user would use the screen reader's review keys to read the non-focusable content. Chrome OS: a user would use the screen reader's review keys to read the non-focusable content.
,
Nov 5 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ta...@google.com
, Jul 15 2016Components: UI>Accessibility
Labels: OS-All Pri-2