Security: Linking to chrome:// URIs inside pdf via 'about:' protocol on iOS
Reported by
chromium...@gmail.com,
Nov 30 2016
|
|||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 54.0.2840.91 Operating System: iOS REPRODUCTION CASE 1. Lunch chromeUrls.pdf 2. Click on "Chrome Settings"
,
Nov 30 2016
In addition, there have been similar issues to this issue bug 595514 and bug 528505 .
,
Dec 1 2016
,
Dec 1 2016
,
Dec 1 2016
This trick changes omnibox URL to chrome://version, but WebUI is not loaded. The page is blank and has no content. Chris do you see any security risks here? I personally think we can leave current behavior as it is (cancelling chrome://version is possible, but it's tricky and I'm not sure if it worth doing).
,
Dec 1 2016
I can repro with that testcase "Address bar spoof" as you can see in the screenshot the address bar shows chrome://version but the page's hostname is https://bugs.chromium.org... I will upload a video of recording.
,
Dec 1 2016
On other platforms, clicking on chrome: or about: URLs in web content (PDFs and HTML) doesn't work. In theory, it could work yet still be safe, because such navigations should always incur a process swap (since the WebUI renderer has more privilege than a regular web content renderer). What's the process swap situation on iOS? Does everything happen in the 1 sandboxed renderer process, or do we kill it and restart, or are none of the WebUI pages that work on iOS especially powerful? That's the crux of the issue, in my view. Powerful pages like chrome://settings don't seem to exist on Chrome for iOS anyway. That said, the behavior on other platforms is strictly safer, and it seems like as long as it doesn't break legitimate functionality (and, it presumably doesn't, since such navigations don't work on any other platform?), we should harmonize Chrome's behavior on all platforms if it's not too hard. #6: So the claim is that you can get a URL spoof to improve phishing attacks? Can you come up with a more convincing proof of concept (preferably attached as HTML/PDF/JS)? Thanks!
,
Dec 1 2016
,
Dec 1 2016
Steps to repro the "Address bar spoof": 1. Navigate to chromeUrls.pdf directly from this page (comment #0) 2. Click on "Chrome Settings" >> chrome://version (the page is blank) 3. Double tap to go back to this page 5. Double tap to go forward to chrome://version 6. Observe
,
Dec 1 2016
I can not reproduce the problem described in comment #9. On step 6 chrome://version page gets loaded. I use iPhone SE with iOS 10.1.1 and Chrome 54.0.2840.91. srikanthg@, do you want to try reproducing this?
,
Dec 1 2016
I tried on different devices and i can't repro either. Followed the steps on comment#8 and comment#9 on iPhone7, iPhone6plus and iPhoneSE.
,
Dec 8 2016
,
Dec 12 2016
,
Dec 22 2016
,
Jan 31 2017
Assigning low severity because of the unreliability of the spoof based on comment #12.
,
Apr 19 2017
,
Jul 11 2017
,
Jul 11 2017
,
Jul 12 2017
,
Sep 22 2017
chromium.khalil@ can you still reproduce the problem with Chrome 61? A few fixes were landed for the relevant code, so this issue may be fixed already. I'm asking you for retest because I was not able to repro almost a year ago (comment #10). Thank you!
,
Oct 2 2017
This seems like fixed. No more of repro.
,
Oct 3 2017
Thanks a lot for confirming!
,
Oct 3 2017
,
Jan 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by och...@chromium.org
, Nov 30 2016Owner: stuartmorgan@chromium.org
Status: Assigned (was: Unconfirmed)