New issue
Advanced search Search tips

Issue 671879 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 394296
Owner: ----
Closed: Feb 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: Site freezes all tabs in Chrome (tight-loop of pushState)

Project Member Reported by shashi@google.com, Dec 7 2016

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Site is capable of playing intrusive audio indefinitely and freezing chrome tabs / browser

VERSION
Version 54.0.2840.98 (64-bit)
MacOS

REPRODUCTION CASE
go to http://gaminghour.xyz/windows/
it redirects to a site with around 1000 numbers
plays audio, freezes the tab on chrome for mac
can't close / reload it or other tabs
try reporting the long url site to stopbadware, google, or other sites and you get an error, presumably because it's too long for anything to handle


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]

 
Components: UI>Browser>Navigation
Status: Untriaged (was: Unconfirmed)
Summary: Security: Site freezes all tabs in Chrome (tight-loop of pushState) (was: Security: Site freezes all tabs in Chrome)
This is a broad denial-of-service which is effective in blocking access to all tabs. I've sent the URL to the SafeBrowsing team.

The underlying cause of the DoS is likely a dupe of Issue 648333.

<script>
    setTimeout(function(){
        var total = "";
        for( var i = 0; i < 100000; i++ ) {
            total = total + i.toString();
            history.pushState(0,0, total );
        }
    }, 2500);  
</script>

Comment 2 by aarya@google.com, Dec 7 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Not a security vulnerability.
https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs-
Mergedinto: 394296
Status: Duplicate (was: Untriaged)

Sign in to add a comment