New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: FLAG_SECURE not used on Android for credit cards pre-fills

Reported by ya...@nightwatchcybersecurity.com, May 11 2017

Issue description

VULNERABILITY DETAILS
FLAG_SECURE is not used within Chrome on Android when putting in prefilled credit card numbers. This would allow another application on the same device to see the screen and capture the numbers. By comparison Android Pay and Android Wallet use FLAG_SECURE for credit card entry.

We have a blog post here explain FLAG_SECURE:
https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/

VERSION
Chrome Version: 58.0.3029.83 stable
Operating System: Android 7.1.2; security patch level May 5 2017

REPRODUCTION CASE
To reproduce:
1. Open Chrome.
2. To go Settings, Autofill and payments, Credit Cards.
3. Tap on "Add credit card".
4. Press Power and volume down to capture screenshot.
5. Confirm that a screenshot can be taken.
 

Comment 1 by aarya@google.com, May 12 2017

Cc: wuandy@chromium.org
Components: UI>Browser>Autofill>Payments
Labels: Security_Severity-Medium Security_Impact-Stable OS-Android Pri-1
Owner: rouslan@chromium.org
Status: Assigned (was: Unconfirmed)
Project Member

Comment 2 by sheriffbot@chromium.org, May 12 2017

Labels: M-59
Status: Started (was: Assigned)
Cc: tedc...@chromium.org ma...@chromium.org gogerald@chromium.org
https://chromium-review.googlesource.com/c/504787/
Project Member

Comment 5 by bugdroid1@chromium.org, May 15 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/416588f2ea472b4f9273cbd0e40c1d18f71d1cba

commit 416588f2ea472b4f9273cbd0e40c1d18f71d1cba
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Mon May 15 17:04:54 2017

Prevent screenshots of the card editor views.

Before this patch, users could take screenshots of the local credit card
editor views, which show the full card number in plain text. (Chrome
does not show the full number of the server cards.)

This patch adds a FLAG_SECURE to the window of the local card editors
for PaymentRequest and autofill. The flag is added for Chrome Beta and
Stable builds to protect regular users. Dev, Canary, and developer
builds do not have the FLAG_SECURE set.

After this patch, users cannot take screenshots of the local card
editor views in Chrome Beta and Stable.

Bug:  721579 
Change-Id: I82dcd7c83cec85fb3f8dd58aa7ab25c2826641d0
Reviewed-on: https://chromium-review.googlesource.com/504787
Reviewed-by: Ted Choc <tedchoc@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#471807}
[modify] https://crrev.com/416588f2ea472b4f9273cbd0e40c1d18f71d1cba/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/EditorView.java
[modify] https://crrev.com/416588f2ea472b4f9273cbd0e40c1d18f71d1cba/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/PaymentRequestUI.java
[modify] https://crrev.com/416588f2ea472b4f9273cbd0e40c1d18f71d1cba/chrome/android/java/src/org/chromium/chrome/browser/preferences/autofill/AutofillLocalCardEditor.java

Labels: Merge-Request-59
Project Member

Comment 7 by sheriffbot@chromium.org, May 15 2017

Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by bugdroid1@chromium.org, May 15 2017

Labels: -merge-approved-59 merge-merged-3071
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0ad491fdca26232f4edc8120121859209ebc5a0a

commit 0ad491fdca26232f4edc8120121859209ebc5a0a
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Mon May 15 18:53:52 2017

[Merge M-59] Prevent screenshots of the card editor views.

Before this patch, users could take screenshots of the local credit card
editor views, which show the full card number in plain text. (Chrome
does not show the full number of the server cards.)

This patch adds a FLAG_SECURE to the window of the local card editors
for PaymentRequest and autofill. The flag is added for Chrome Beta and
Stable builds to protect regular users. Dev, Canary, and developer
builds do not have the FLAG_SECURE set.

After this patch, users cannot take screenshots of the local card
editor views in Chrome Beta and Stable.

TBR=rouslan@chromium.org

(cherry picked from commit 416588f2ea472b4f9273cbd0e40c1d18f71d1cba)

Bug:  721579 
Change-Id: I82dcd7c83cec85fb3f8dd58aa7ab25c2826641d0
Reviewed-on: https://chromium-review.googlesource.com/504787
Reviewed-by: Ted Choc <tedchoc@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#471807}
Reviewed-on: https://chromium-review.googlesource.com/505531
Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/branch-heads/3071@{#559}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}
[modify] https://crrev.com/0ad491fdca26232f4edc8120121859209ebc5a0a/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/EditorView.java
[modify] https://crrev.com/0ad491fdca26232f4edc8120121859209ebc5a0a/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/PaymentRequestUI.java
[modify] https://crrev.com/0ad491fdca26232f4edc8120121859209ebc5a0a/chrome/android/java/src/org/chromium/chrome/browser/preferences/autofill/AutofillLocalCardEditor.java

Status: Fixed (was: Started)
Project Member

Comment 10 by sheriffbot@chromium.org, May 16 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Hi - is this bug eligible for the Chrome Rewards program?
Labels: reward-topanel
Thanks for your report. We'll consider your report under the Chrome Reward Program for a security cash reward - full details here: https://www.google.com/about/appsecurity/chrome-rewards/

We'll update you once we have a decision. Feel free to check in with me in a few weeks if you haven't heard back, either by updating this bug or reaching out to me at rouslan@chromium.org.
Cc: awhalley@chromium.org
Labels: Release-0-M59
Labels: -Security_Severity-Medium Security_Severity-Low
I'm afraid the VRP panel decided not to reward for this. Many thanks for the report, and while we did some hardening, the panel didn't believe this is inside our threat model.
Labels: CVE-2017-5082
Labels: -reward-topanel reward-0
Components: -UI>Browser>Autofill>Payments UI>Browser>Payments
Hi - at what point can we publicly disclose this? It looks like it got published in the changelog:
https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html

Thanks
Go ahead with the public disclosure, if you wish.

Comment 22 Deleted

Project Member

Comment 24 by sheriffbot@chromium.org, Aug 22 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-submitted

Sign in to add a comment