Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users
Status: Fixed
Owner:
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Windows, Chrome, Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Address bar spoof with location.replace()
Reported by chromium...@gmail.com, Sep 19 2016 Back to list
VERSION
Chrome Version: 55.0.2864.0 canary (64-bit)
Operating System: Windows 7

REPRODUCTION CASE
1. Launch chrome and navigate to index.html
2. Click on the button
3. Click on "Back to safety" which is on the interstitial page and wait
4. Observe
 
ScreenShot.png
41.1 KB View Download
PoC.rar
504 bytes Download
Recording URL-Spoofing.mp4
457 KB View Download
Comment 2 Deleted
Status: Untriaged
This looks like a variant of e.g. 643173 which should be fixed already.

I'm was able to reproduce with 55.2865 for a split second; 55.2864 has some known bugs around the origin chip e.g. 647803. 
Cc: f...@chromium.org
Components: Security>UX
Labels: Security_Severity-Medium Security_Impact-Stable
Oh, interesting. This repros in 53.2785 and 54.2840 as well, and when you use "Back to safety" the spoofed content lives indefinitely.

So this is not related to recent changes. 

The mis-attributed HTML does appear to be non-interactive (I can't select text in it, for instance) limiting it somewhat but it could contain static spoofing content. Interestingly, if I open the developer tools, they show markup from Twitter, suggesting that maybe what's happening is the spoof content is somehow living in the interstitial and overlaying the victim site.
Comment 5 Deleted
Labels: Pri-2
Owner: elawre...@chromium.org
Status: Assigned
Feel free assign to an appropriate owner Eric.
Project Member Comment 7 by sheriffbot@chromium.org, Sep 20 2016
Labels: M-54
Project Member Comment 8 by sheriffbot@chromium.org, Sep 20 2016
Labels: -Pri-2 Pri-1
Project Member Comment 9 by sheriffbot@chromium.org, Oct 4 2016
elawrence: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Any updates?
Cc: creis@chromium.org
creis@ - Any chance we've got an expert on interstitials that may know what's going on here before I dive in to try to figure it out?
Comment 12 by f...@chromium.org, Oct 5 2016
Cc: nasko@chromium.org
Components: UI>Browser>Navigation
Cc: meacer@chromium.org
Interstitials are in need of an owner, sadly.  Nasko, Mustafa, and I know them enough to help, though we're a bit starved for time at the moment.  We can help with suggestions or you can assign it to one of us for when we get a chance.
Comment 14 by creis@chromium.org, Oct 17 2016
Cc: a...@chromium.org
Avi, would you be able to help investigate this one?
Project Member Comment 15 by sheriffbot@chromium.org, Oct 20 2016
elawrence: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Owner: creis@chromium.org
Apologies-- I unfortunately haven't made any progress with this, so passing it along per comment #13.
Components: -Security>UX UI>Security>UrlFormatting
Labels: Team-Security-UX
Project Member Comment 18 by sheriffbot@chromium.org, Dec 2 2016
Labels: -M-54 M-55
Any updates on this bug?
Comment 20 by creis@chromium.org, Dec 12 2016
Cc: dcheng@chromium.org
Sorry, I missed the reassignment.  I'll try to take a look this week.

At first glance, this looks similar to what's happening in  issue 672847 , where the spoofed content can't be interacted with, and DevTools shows that document.body is null.  I'll see if I can find what's going on, and what's common between the two.
Comment 21 by creis@chromium.org, Dec 16 2016
Owner: kenrb@chromium.org
Ken: I'm pretty sure this is the same bug as  issue 672847 , and that it's due to a bug in the unresponsiveness timer from  issue 497588 .  

Specifically, if you click "Back to Safety" between 2 and 4 seconds after the twitter.com popup appears, you'll see "Address Spoofing" disappear due to the unresponsiveness timer.  If you minimize the popup and show it again, "Address Spoofing" will come back.

If you're able to get a fix for  issue 672847 , can you check whether it fixes this as well?
Comment 22 by kenrb@chromium.org, Dec 28 2016
Cc: kenrb@chromium.org
 Issue 676840  has been merged into this issue.
Any updates?
Comment 24 by kenrb@chromium.org, Jan 23 2017
I haven't had time to work on this yet, but expect to in the near future.
Project Member Comment 25 by sheriffbot@chromium.org, Jan 26 2017
Labels: -M-55 M-56
Project Member Comment 26 by sheriffbot@chromium.org, Mar 10 2017
Labels: -M-56 M-57
Cc: jialiul@chromium.org
Cc: rsesek@chromium.org
 Issue 704537  has been merged into this issue.
Fixed per https://codereview.chromium.org/2702433002. Please read c#20 and c#21.

Charlie, Ken - can you double-check?
Comment 30 by kenrb@chromium.org, Mar 27 2017
Labels: reward-topanel
Status: Fixed
Ah, thanks for calling it out. It looks like my patch did fix this, although I had not properly diagnosed what was happening here and I forgot to check after the fact.

Your approach is quite a bit different from how  bug 672847  worked, but the timer mechanism has now been made a lot more robust now and should be resilient to loopholes like this now. Thanks for the submission!
Project Member Comment 31 by sheriffbot@chromium.org, Mar 28 2017
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 32 by kenrb@chromium.org, Mar 28 2017
 Issue 664750  has been merged into this issue.
Project Member Comment 33 by sheriffbot@chromium.org, Mar 30 2017
Labels: Merge-Request-58
Project Member Comment 34 by sheriffbot@chromium.org, Mar 31 2017
Labels: -Merge-Request-58 Hotlist-Merge-Approved Merge-Approved-58
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 35 by bugdroid1@chromium.org, Apr 3
Labels: -merge-approved-58 merge-merged-3029
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728

commit 5aa9a4a70f65068dcc5d8b84ca42cb05fb380728
Author: Ken Buchanan <kenrb@chromium.org>
Date: Mon Apr 03 15:21:16 2017

(Reland) Discard compositor frames from unloaded web content

This is a reland of https://codereview.chromium.org/2707243005/ with a
small change to fix an uninitialized memory error that fails on MSAN
bots.

BUG= 672847 , 648117 
TBR=danakj@chromium.org, creis@chromium.org
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2731283003
Cr-Commit-Position: refs/heads/master@{#454954}
(cherry picked from commit 5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34)

Review-Url: https://codereview.chromium.org/2793013002 .
Cr-Commit-Position: refs/branch-heads/3029@{#547}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/ipc/cc_param_traits_macros.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/ipc/compositor_frame_metadata.mojom
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/ipc/compositor_frame_metadata_struct_traits.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/ipc/compositor_frame_metadata_struct_traits.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/ipc/struct_traits_unittest.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/output/compositor_frame_metadata.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_host.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_host.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_host_impl.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_host_unittest.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_impl.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_impl.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/browser/renderer_host/render_widget_host_impl.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/browser/renderer_host/render_widget_host_impl.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/browser/renderer_host/render_widget_host_unittest.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/common/frame_messages.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/renderer/gpu/render_widget_compositor.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/renderer/gpu/render_widget_compositor.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/renderer/render_widget.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/renderer/render_widget.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/test/test_render_view_host.h

Labels: -M-57 M-58
Labels: -Hotlist-Merge-Approved
Labels: -reward-topanel reward-unpaid reward-500
Thanks for the report - the panel decided to award $500 for this bug.
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M58
Labels: CVE-2017-5067
Project Member Comment 43 by sheriffbot@chromium.org, Jul 4
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment