Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security



Sign in to add a comment
Chrome for Android - Quickly entering and exiting fullscreen allows for URL Spoofing
Reported by luan.her...@hotmail.com, Aug 22 2016 Back to list
VULNERABILITY DETAILS
If you quickly enter and exit fullscreen, the omnibox slides up 
automatically and then disappears (without any warning). This allows the attacker to insert an image of a fake omnibox in its place, thus spoofing it.

VERSION
I tested on:
Chrome 52.0.2743.98 / Android 6.0.1
Chrome 52.0.2743.98 / Android 4.3.0
Chrome 52.0.2743.98 / Android 4.4.2

REPRODUCTION CASE
1. Access http://lbherrera.me/fullspoof.html
2. Click on the "Sign in" button.
3. The image of a fake omnibox and login page will show up.

* Given I use an image to spoof all the page, because of different screen resolution the image may be misaligned. A dedicated attacker could easily fix this, as he would know the users' screen resolution.
 
Cc: spqc...@chromium.org
Components: UI>Browser>Omnibox UI>Browser>FullScreen
Labels: OS-Android
That's a nice spoof! Definitely reproducible on Android. 
Let me route it to the right team to see if this is an known issue. 
Thanks for reporting!

+spqchan@, could you help me triage this bug since you're quite active in both components?

Thanks!
Status: Untriaged
Cc: -spqc...@chromium.org
Labels: Security_Impact-Stable Security_Severity-High Pri-1
Owner: spqc...@chromium.org
Status: Assigned
Cc: jialiul@chromium.org
Owner: ----
Status: Untriaged
Sorry jialiul, while I'm active in both the omnibox and fullscreen, I'm only active on Mac. I have no idea how to triage for Android
Owner: tedc...@chromium.org
+tedchoc@, could you help triage this issue since you have worked on omnibox related issues on Android? Please feel free to suggest other owner. Thanks!
Project Member Comment 6 by sheriffbot@chromium.org, Aug 24 2016
Labels: M-52
Project Member Comment 7 by sheriffbot@chromium.org, Aug 24 2016
Status: Assigned
Yeah, I'll take a look at this.
Project Member Comment 9 by sheriffbot@chromium.org, Sep 1 2016
Labels: -M-52 M-53
Project Member Comment 10 by sheriffbot@chromium.org, Sep 8 2016
tedchoc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 11 by sheriffbot@chromium.org, Sep 22 2016
tedchoc: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 12 by bugdroid1@chromium.org, Sep 27 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a55c2fdf48fb379f994e21768f517b53837ea663

commit a55c2fdf48fb379f994e21768f517b53837ea663
Author: tedchoc <tedchoc@chromium.org>
Date: Tue Sep 27 06:11:07 2016

Keep top controls visible if SHOW is called right after HIDE.

Currently, we early exit if the visibility amount matches our
desired ending amount.  But when you set HIDDEN as the current,
it will start an animation, and a immediate call to SHOWN will
see that the ending condition is met and return, but does not
clear the animation.

Now, clear the animation if the current value matches our
desired ending value to ensure it doesn't move.

BUG= 639702 
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel

Review-Url: https://codereview.chromium.org/2372713004
Cr-Commit-Position: refs/heads/master@{#421125}

[modify] https://crrev.com/a55c2fdf48fb379f994e21768f517b53837ea663/cc/input/top_controls_manager.cc
[modify] https://crrev.com/a55c2fdf48fb379f994e21768f517b53837ea663/cc/input/top_controls_manager_unittest.cc

Labels: Merge-Request-54
Comment 14 by dimu@chromium.org, Sep 27 2016
Labels: -Merge-Request-54 Merge-Approved-54 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M54 (branch: 2840)
Project Member Comment 15 by bugdroid1@chromium.org, Sep 27 2016
Labels: -merge-approved-54 merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0f76844ee3219d0e3990216b5dd657aac4d36f7b

commit 0f76844ee3219d0e3990216b5dd657aac4d36f7b
Author: Ted Choc <tedchoc@google.com>
Date: Tue Sep 27 17:05:25 2016

Keep top controls visible if SHOW is called right after HIDE.

Currently, we early exit if the visibility amount matches our
desired ending amount.  But when you set HIDDEN as the current,
it will start an animation, and a immediate call to SHOWN will
see that the ending condition is met and return, but does not
clear the animation.

Now, clear the animation if the current value matches our
desired ending value to ensure it doesn't move.

BUG= 639702 
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel

Review URL: https://codereview.chromium.org/2371223002 .

Review-Url: https://codereview.chromium.org/2372713004
Cr-Original-Commit-Position: refs/heads/master@{#421125}
Cr-Commit-Position: refs/branch-heads/2840@{#546}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/0f76844ee3219d0e3990216b5dd657aac4d36f7b/cc/input/top_controls_manager.cc
[modify] https://crrev.com/0f76844ee3219d0e3990216b5dd657aac4d36f7b/cc/input/top_controls_manager_unittest.cc

Status: Fixed
Labels: reward-topanel
Project Member Comment 18 by sheriffbot@chromium.org, Sep 28 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Hotlist-Merge-Approved
Labels: Release-0-M54
Labels: CVE-2016-5187
Labels: -reward-topanel reward-unpaid reward-1000
Congratulations - $1,000 for this one!
Labels: reward-inprocess
Labels: -reward-unpaid
Project Member Comment 26 by bugdroid1@chromium.org, Oct 27 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0f76844ee3219d0e3990216b5dd657aac4d36f7b

commit 0f76844ee3219d0e3990216b5dd657aac4d36f7b
Author: Ted Choc <tedchoc@google.com>
Date: Tue Sep 27 17:05:25 2016

Keep top controls visible if SHOW is called right after HIDE.

Currently, we early exit if the visibility amount matches our
desired ending amount.  But when you set HIDDEN as the current,
it will start an animation, and a immediate call to SHOWN will
see that the ending condition is met and return, but does not
clear the animation.

Now, clear the animation if the current value matches our
desired ending value to ensure it doesn't move.

BUG= 639702 
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel

Review URL: https://codereview.chromium.org/2371223002 .

Review-Url: https://codereview.chromium.org/2372713004
Cr-Original-Commit-Position: refs/heads/master@{#421125}
Cr-Commit-Position: refs/branch-heads/2840@{#546}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/0f76844ee3219d0e3990216b5dd657aac4d36f7b/cc/input/top_controls_manager.cc
[modify] https://crrev.com/0f76844ee3219d0e3990216b5dd657aac4d36f7b/cc/input/top_controls_manager_unittest.cc

Project Member Comment 27 by sheriffbot@chromium.org, Jan 4 2017
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment