New issue
Advanced search Search tips

Issue 648350 link

Starred by 4 users
Status: WontFix
Owner: ----
Closed: Sep 2016
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 3
Type: Feature



Sign in to add a comment

[Security feature request] Overlay background windows when a popup receives focus

Reported by luan.her...@hotmail.com, Sep 19 2016 
VULNERABILITY DETAILS
There is no indicator allowing the user to discern if a popup is being spoofed by the page he is visiting or if it is real and was generated by Chrome.
While I understand this is the default behavior in all browsers, I think the current state is rather negligent as convincing spoofs can be achieved.
The situation is even worse considering that with the popularization of external login services (such as Google and Facebook Sign-In), users have grown used to trust these types of popups.

I thought in a way of mitigating this without impacting UX so much. A semi-transparent overlay could be added covering the entire background window every time a popup receives focus ("similar" to what Firefox does with modal dialogs [1]). This would prevent attackers from being able to spoof the exact UI.

I attached an image of what is happening now [2] and what I am proposing [3]. I also created a PoC that spoofs a Google Sign-In popup (have in mind I didn't take into consideration other operational systems nor screen resolution).

There is also an unlisted video demonstrating the spoof:
https://www.youtube.com/watch?v=0oega6C5SF0

VERSION
Chrome Version: 54.0.2840.27 beta-m

REPRODUCTION CASE
1. Access http://lbherrera.me/popup-spoof/index.html
2. Click on Sign in.
[1].png
102 KB View Download
[2].png
185 KB View Download
[3].png
220 KB View Download

Comment 1 by elawrence@chromium.org, Sep 19 2016

Status: Untriaged (was: Unconfirmed)
Summary: [Security feature request] Overlay background windows when a popup receives focus (was: [Security feature request] Add a semi-transparent overlay to the background window when a popup receives focus)
This is typically called a "Picture in Picture" attack. 

There's nothing that prevents the attacker from faking the overlay over the entire content area of the browser. She cannot fake an overlay over the omnibox and other top-level Chrome of the browser, but I am not aware of any user research that suggests that users would notice a distinction that subtle.

To make this work, you'd need to blur/dim any browser windows when they are not active (or, at least, whenever they are inactive and any other browser window overlays any of their pixels) which would be computationally intensive and likely annoying to many users.

Comment 2 by elawrence@chromium.org, Sep 19 2016

Components: Security>UX
Labels: OS-Chrome OS-Linux OS-Mac OS-Windows

Comment 3 by penny...@chromium.org, Sep 19 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Pri-3 Type-Feature

Comment 4 by calamity@chromium.org, Sep 26 2016

Status: WontFix (was: Untriaged)
I think this is too low in the list of priorities to get looked at.

Comment 5 by lafo...@chromium.org, Dec 9 2016

Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label

Comment 6 by dominickn@chromium.org, Apr 7 2017 

 Issue 708506  has been merged into this issue.

Sign in to add a comment