New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 664551 link

Starred by 3 users
Status: Fixed
Owner:
sheriffbot@chromium.org
User never visited
Closed: Dec 2016
Cc:
klo...@chromium.org
anan...@chromium.org
quanto@google.com
wangxianzhu@chromium.org
aelias@chromium.org
dskiba@google.com
kerz@chromium.org
aludwig@google.com
jlarimer@google.com
awhalley@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 0
Type: Bug-Security

Blocked on:
issue 554518
issue 664411


Sign in to add a comment

Pwnfest 2016 meta bug

Project Member Reported by aarya@google.com, Nov 11 2016 
See sub-bugs.
writeup.txt
9.3 KB View Download

Comment 1 by aarya@google.com, Nov 11 2016

Cc: awhalley@chromium.org anan...@chromium.org kerz@chromium.org

Comment 2 by aarya@google.com, Nov 11 2016

Cc: aludwig@google.com jlarimer@google.com

Comment 3 by aarya@google.com, Nov 11 2016

Cc: aelias@chromium.org wangxianzhu@chromium.org klo...@chromium.org
v8 bug tracked in 664411
play store bug for "inject javascript to play.google.com to install any app;" tracked in 554518 and http://b/25640668

should we file bug for ""use intent scheme to launch the installed app." ?

Comment 4 by klo...@chromium.org, Nov 11 2016 

For intent scheme, do we know how they do "inline hook processingUserGesture and utilizeUserGesture to bypass guesture detection"?

Comment 5 by aarya@google.com, Nov 11 2016 

Andrew is working to get access to exploit, right now, just writeup.txt in c#0.

Comment 6 by creis@chromium.org, Nov 11 2016 

See also http://b/25754017 for always prompting the user when installing an app from the web flow.

Comment 7 by aarya@google.com, Nov 11 2016 

Here is exploit.
exploit.zip
163 KB Download

Comment 8 by aarya@google.com, Nov 11 2016

Cc: quanto@google.com

Comment 9 by aarya@google.com, Nov 11 2016

Cc: dskiba@google.com

Comment 10 by rickyz@chromium.org, Nov 11 2016

Labels: Security_Impact-Stable OS-Android
Status: Assigned (was: Untriaged)
Project Member

Comment 11 by sheriffbot@chromium.org, Nov 12 2016

Labels: M-54
Project Member

Comment 12 by sheriffbot@chromium.org, Nov 12 2016

Labels: -Pri-1 Pri-0
Project Member

Comment 13 by sheriffbot@chromium.org, Nov 26 2016 

Pri-0 bugs are critical regressions or serious emergencies, and this bug has not been updated in three days. Could you please provide an update, or adjust the priority to a more appropriate level if applicable?

If a fix is in active development, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 14 by sheriffbot@chromium.org, Dec 2 2016

Labels: -M-54 M-55

Comment 15 by aarya@google.com, Dec 6 2016

Status: Fixed (was: Assigned)
Project Member

Comment 16 by sheriffbot@chromium.org, Dec 7 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 17 by sheriffbot@chromium.org, Dec 9 2016

Labels: Merge-Request-56

Comment 18 by dimu@chromium.org, Dec 10 2016

Labels: -Merge-Request-56 Merge-Approved-56 Hotlist-Merge-Approved
Owner: sheriffbot@chromium.org
Your change meets the bar and is auto-approved for M56 (branch: 2924)

Comment 19 by awhalley@google.com, Dec 12 2016

Labels: -Hotlist-Merge-Approved -Merge-Approved-56 Hotlist-Merge-Rejected
Metabug, nothing to merge.
Project Member

Comment 20 by sheriffbot@chromium.org, Mar 15 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment