Issue metadata
Sign in to add a comment
|
Security: Drag/drop download feature can be abused to leak sensitive information from third-party sites |
||||||||||||||||||||||
Issue descriptionRepro: https://whytls.com/test/drag/crossorigin.html 1. Drag file to desktop. 2. Observe: File with attacker-controlled name with cross-origin data is on user's desktop 3. Attacker would then entice user to reupload the data to his server (e.g. by dragging the file back onto the window). This is essentially the same bug as Issue 608669 , except in this variant the user is downloading via the e.dataTransfer.setData("DownloadURL", s) mechanism. One saving grace today is that because of Issue 540547, drag/drop directly to web browsers does not work (meaning cannot clickjack the user into cross-origin data theft) because Chrome does not indicate support for async drop. The user must be persuaded to first drop the file on another client that does (Explorer), then drag the file back.
,
Oct 8 2016
,
Oct 22 2016
mkwst: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 6 2016
mkwst: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 26 2017
,
Mar 10 2017
,
Apr 20 2017
,
May 1 2017
C#0 is not a feasible attack scenario. We can't convince user to upload local files, and also convincing to local desktop via drag drop is a very hard gesture. WontFixing. If you still are planning to fix this, open it as a functional bug and remove security labels.
,
Jul 28 2017
,
Aug 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Oct 7 2016Labels: M-55 Security_Severity-Medium Security_Impact-Stable OS-All Pri-2
Owner: mkwst@chromium.org
Status: Assigned (was: Untriaged)