New issue
Advanced search Search tips

Issue 641642 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: A site can bypass the "Press Esc to exit full screen" warning message by entering fullscreen and quickly exiting

Reported by teddy.k...@gmail.com, Aug 27 2016 
VULNERABILITY DETAILS

Normally, when using the HTMLElement#webkitRequestFullscreen function, a informative message is displayed to the user ("Press Esc to exit full screen").

A site can block this message by requesting fullscreen on an element, and then quickly calling `document.webkitExitFullscreen` before the message appears. The element will still be displayed in fullscreen, but Chrome will not give any indication to the user that this is the case.

As a result, websites can spoof the URL bar by subtly entering fullscreen and creating an HTML element that looks/acts like a URL bar. This allows easy phishing attacks; for example, a malicious site can render a fake URL bar that says "https://google.com" and present a login form.

The fix for this issue would be to either (a) exit fullscreen when `document.webkitExitFullscreen` is called immediately after entering fullscreen, or (b) display the fullscreen warning message even when `document.webkitExitFullscreen` is called immediately.

VERSION
Chrome Version: 52.0.2743.116 stable
Operating System: OS X El Capitan 10.11.6

REPRODUCTION CASE

See the attached chrome-fullscreen-demo.html file.
chrome-fullscreen-demo.html
112 KB View Download

Comment 1 by infe...@chromium.org, Aug 29 2016

Status: WontFix (was: Unconfirmed)
Unable to reproduce this. I only see google.com spoof open in the renderer window and not in fullscreen. Please provide detailed reproduction instructions.

Comment 2 by teddy.k...@gmail.com, Aug 29 2016 

I'm unsure of what the issue is, but here are steps to reproduce:

1. Download the attached html file
2. Open the file in chrome (with the URL "file:///path/to/chrome-fullscreen-demo.html")
3. Click the blue link that says "here"

The browser enters fullscreen (causing the omnibox to go away), and the spoof appears at the top of the screen.

---

I'm using Chrome 52.0.2743.116 (64-bit) on Mac OSX El Capitan 10.11.6, on a MacBook Pro with a retina display.

This also occurs if I set up a local HTTP server and access the file, e.g. at the URL "http://localhost:8889/chrome-fullscreen-demo.html".

I am logged into my google account on Chrome, but switching to Incognito mode does not seem to make a difference.

If you're still unable to reproduce it with this information, I can try to narrow the problem down using a fresh Chrome installation.

Comment 3 by teddy.k...@gmail.com, Sep 10 2016 

For what it's worth, I tried this again in Chrome 53.0.2785.101 and it appears to be fixed.
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 6 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment