Issue metadata
Sign in to add a comment
|
Security: Chrome PaymentRequestAPI Payment-Origin Spoof
Reported by
xis...@gmail.com,
May 2 2017
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS PaymentRequestAPI show the native payment UI with show().In this UI,include the origin of payment.An attacker can change the origin of payment. VERSION Chrome Version: [58.0.3029.83] + [stable] Operating System: [Android] REPRODUCTION CASE (1) Open https://jsfiddle.net/xisigr/602s93zm/ in android chrome (2) Click the button "Click me" (3) Click the button "Pay 9999USD (https://www.paypal.com)"
,
May 2 2017
rouslan, could you please take a look, or help with assigning this to the right person? thanks!
,
May 2 2017
Given that the attacker controls the string immediately above the "spoofed" string, this feels more like a Low severity issue.
,
May 2 2017
,
May 2 2017
elawrence: Do you think disabling the API on data URLs would help?
,
May 2 2017
+lgarron@, expert on URL display. (FWIW, the repro here is a blob: URL; top-level navigation to data: URLs will be blocked in Chrome 60 ( Issue 684011 ). Do we allow the API in subframes?) Having said that, is there a reason that we're showing a full URL here instead of the security origin?
,
May 2 2017
Drive-by: IMO we should disable this API on anything other than https URLs. There is all sorts of weirdness with pseudo URLs that make their display a nightmare (e.g. blob URLs can have null origins if they are opened by data URL iframes).
,
May 2 2017
We allow API in subframes that have "allowpaymentrequest" attribute. We're showing the output of FormatURLForSecurityDisplay(webContents.getLastCommittedURL()). Let me check the code to see what's happening exactly.
,
May 2 2017
meacer, localhost and file:// scheme origins should also be enabled for testing.
,
May 2 2017
OK, so https, localhost and file only then?
,
May 2 2017
SGTM. I can make the change.
,
May 2 2017
,
May 2 2017
FYI. I believe this has been fixed in Canary (https://play.google.com/store/apps/details?id=com.chrome.canary) via http://crrev.com/6e3cf7c. xisigr: Can you verify?
,
May 2 2017
meacer: Would it be OK to allow the API on all cryptographic schemes? (Along with localhost and file:// scheme origins.)
,
May 2 2017
#14: That would add only WSS. That seems unlikely to happen in the real world, but also harmless? Are we sure this bug is present only on Android?
,
May 2 2017
Any reason we can't use IsOriginSecure()?
,
May 2 2017
> Any reason we can't use IsOriginSecure()? We use IsOriginSecure() since http://crrev.com/6e3cf7c. > Are we sure this bug is present only on Android? Desktop UI does not show the origin. I'll work with iOS folks on getting this fixed as well. +mahmadi > That would add only WSS. That seems unlikely to happen in the real world, but also harmless? Also HTTPS-SO. I'm not sure what WSS and HTTPS-SO are, but they are all considered "cryptographic" in Chrome.
,
May 2 2017
mahmadi, can we get something similar to https://cs.chromium.org/chromium/src/components/payments/content/payment_request.cc?l=48-69 on iOS?
,
May 2 2017
,
May 2 2017
,
May 2 2017
> Also HTTPS-SO. I'm not sure what WSS and HTTPS-SO are Those are schemes to designate suborigins (https://w3c.github.io/webappsec-suborigins/). That whole suborigin-encoded-in-the-scheme thing might be going away soon anyway, but for now that seems fine; I don't see any reason to restrict payment requests on suborigins.
,
May 2 2017
> Any reason we can't use IsOriginSecure()? IsOriginSecure incorrectly considers a bunch of unrelated schemes as secure (file, filesystem, about:blank (bug 696810) and data (bug 684231).
,
May 3 2017
,
May 4 2017
The bug that allows an attacker tamper with trusted origin of Payment UI.Is this SecSeverity-Low? rouslan: This bug is not valid in Canary, I think it has been fixed.
,
May 4 2017
elawrence^^
,
May 4 2017
Re #24: URL Spoofing in contexts outside of the address box does not have a defined severity (https://www.chromium.org/developers/severity-guidelines). Given that the UI here isn't a surface with which most users will be familiar, and because the spoofable string is immediately adjacent to a string which is deliberately attacker controlled, Low severity seems appropriate to me.
,
May 5 2017
,
May 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b28f4539b767b634d9257964f04e72b8987910b5 commit b28f4539b767b634d9257964f04e72b8987910b5 Author: rouslan <rouslan@chromium.org> Date: Mon May 08 15:41:47 2017 Disable web payments API on blob: and data: schemes. This patch makes PaymentRequest.show() always reject with NotSupportedError and PaymentRequest.canMakePayments() always return false on origins that are not either localhost, file://, or cryptographic scheme. BUG= 717476 Review-Url: https://codereview.chromium.org/2859613002 Cr-Commit-Position: refs/heads/master@{#469991} [modify] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java [modify] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/android/java_sources.gni [add] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/android/javatests/src/org/chromium/chrome/browser/payments/PaymentRequestBlobUrlTest.java [add] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/android/javatests/src/org/chromium/chrome/browser/payments/PaymentRequestDataUrlTest.java [modify] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/android/javatests/src/org/chromium/chrome/browser/payments/PaymentRequestTestBase.java [add] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/browser/ui/views/payments/payment_request_blob_url_browsertest.cc [modify] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/browser/ui/views/payments/payment_request_browsertest_base.cc [modify] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/browser/ui/views/payments/payment_request_browsertest_base.h [add] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/browser/ui/views/payments/payment_request_data_url_browsertest.cc [modify] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/browser/ui/views/payments/test_chrome_payment_request_delegate.cc [modify] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/browser/ui/views/payments/test_chrome_payment_request_delegate.h [modify] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/test/BUILD.gn [add] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/test/data/payments/blob_url.js [add] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/chrome/test/data/payments/payment_request_blob_url_test.html [modify] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/components/payments/content/payment_request.cc [modify] https://crrev.com/b28f4539b767b634d9257964f04e72b8987910b5/components/payments/content/payment_request.h
,
May 8 2017
,
May 9 2017
,
May 25 2017
,
Jun 27 2017
,
Jul 24 2017
,
Jul 25 2017
,
Aug 15 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, May 2 2017Status: Untriaged (was: Unconfirmed)