Chrome for Android allows web sites to automatically download HTML pages to the device and redirect to them
using the "Content://" scheme. Once in the Content scheme, the Same Origin Policy does not protect a
downloaded HTML from accessing other content files, such as other downloaded files.

Not only does this give web pages access to sensitive user data in the Download directory via a carefully crafted
downloaded HTML page, but also enables the interaction with any other web site. This is achieved by triggering
GET requests, downloading the response and reading the response back out using their own downloaded HTML
page.

MWR used this vulnerability to exfiltrate the victim's Downloaded files, and then to also interact with sites they were
logged into. In particular, this was used to read out files from the victim's Google Drive account, and to install
applications to the device using the Google Play store.

Chrome for Android permits the use of "content" as a scheme. This scheme according to the AndroidManifest.xml
file is marked as BROWSABLE:

<activity android:name=”org.chromium.chrome.browser.document.ChromeLauncherActivity”
android:theme=”@android:style/Theme.Translucent.NoTitleBar”>
…(snip)…
<intent-filter>

<action android:name="android.intent.action.VIEW"/>

<category android:name="android.intent.category.DEFAULT"/>

<category android:name="android.intent.category.BROWSABLE"/>

<data android:scheme="googlechrome"/>

<data android:scheme="http"/>

<data android:scheme="https"/>

<data android:scheme="about"/>

<data android:scheme="content"/>

This allows an attacker to redirect a user from a malicious web page to a file stored under the content scheme,
which includes any downloaded file. Downloads are accessible with the content scheme due to Android's
DownloadProvider allowing file access to downloaded files via its content://downloads/my_downloads/# URL. An
example of this redirect in JavaScript would therefore be:
document.location='content://downloads/my_downloads/25';

If a malicious HTML page is downloaded, chrome can be redirected to the content:// url of this download. From
here due to the Same Origin Policy of content URLs, it is possible to read any other download file and exfiltrate
their data. For example if an HTML page 'content://downloads/my_downloads/25' was loaded into Chrome, then
this page could open content://downloads/my_downloads/23 into an iframe and read its contents.

The downloading of HTML pages can be achieved without user interaction. This is performed by placing the URL
into an HTML Anchor element that includes the Download attribute and then calling the “click()” function in
JavaScript. This technique works for downloading pages on the malicious site, but also for any page on any other
web site. This can be used, for example, to exfiltrate Google Drive files by determining their URL and then
triggering their download. By redirecting to the malicious downloaded HTML page under the content scheme, it is
then possible to exfiltrate these downloaded files.

These exfiltrated pages will contain Cross Site Request Forgery (CSRF) tokens needed to make valid POST
messages. The data from the exfiltrated pages can therefore be used to create and submit valid POST requests to
these same sites. In essence it allows for an attack that can bypass a site's CSRF protection to perform sensitive
actions on the site as the victim, or to download and exfiltrate further data.

Going to add the CCs to the dependent bug, since there's already some discussion there.

This is a meta bug, lets do discussion in 659492.

can the android guys get access to 659492?

Anybody CCed on this bug is now CCed on 659492.

Done!

Since it appears all Pwn2Own bugs have been fixed on trunk and all release branches, marking this meta bug as fixed - please reopen if there is still work pending.

[Automated comment] Less than 2 weeks to go before AppStore submit on M55, manual review required.

Merge to M55 was done on 659492

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot