|Issue 639750||XSS using Dropjacking|
|Starred by 5 users||Reported by s.h.h.n....@gmail.com, Aug 22 2016||Back to list|
Sign in to add a comment
Aug 23 2016,
Hi, Anyone? If you don't consider this as security bug, please let me know.
Aug 23 2016,
This is an unconvincing attack scenario. It is extremely unlikely to convince the user to drag stuff to arbitary tabs.
Aug 28 2016,
Hi, Attacker can use below cursor hack to fake cursor location and let victim play a game where victim drag and drop things, but as cursor location is manipulated by attacker, victim thinks that he is droping things in document but it is actually tabs. https://jameshfisher.github.io/cursory-hack/
What do Edge / Firefox do? Do they just not allow this drag? Or do they not support dropping on a tab to navigate it? Also, we already mark the drag data (https://cs.chromium.org/chromium/src/content/public/common/drop_data.h?rcl=0&l=65) if it originated from a untrusted web content, so we can just use that. Obviously, it doesn't work if you drag from FF into Chrome... but you're kind of just asking for trouble at that point?
Hi, thank you all for reconsideration. Do you consider this as SOP bypass?
Using trick below, dropping into new tab will also cause XSS in Google.com :p https://crbug.com/554519
I'd like to take a swing at this.
> Hi, thank you all for reconsideration. Do you consider this as SOP bypass? This is more akin to self-XSS than a straightforward SOP bypass as it requires significant user interaction.
Windows fix in 55.0.2861.0 is ineffective on Mac. Mac appears to go through a different codepath, using URLDropTarget. We'll need to update dropURLs (and maybe isUnsupportedDropData) in tab_strip_controller.mm.
Dev-Verified the fix on Mac.
Mac fix landed in 55.0.2863.0
Issue 660774 has been merged into this issue.
Issue 666735 has been merged into this issue.
Any chance of bounty?
I'm afraid we don't usually consider a bounty for low severity bugs. It will get a CVE assigned, though.
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
|► Sign in to add a comment|