Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: May 15
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: FLAG_SECURE not used on Android for credit cards pre-fills
Reported by ya...@nightwatchcybersecurity.com, May 11 Back to list
VULNERABILITY DETAILS
FLAG_SECURE is not used within Chrome on Android when putting in prefilled credit card numbers. This would allow another application on the same device to see the screen and capture the numbers. By comparison Android Pay and Android Wallet use FLAG_SECURE for credit card entry.

We have a blog post here explain FLAG_SECURE:
https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/

VERSION
Chrome Version: 58.0.3029.83 stable
Operating System: Android 7.1.2; security patch level May 5 2017

REPRODUCTION CASE
To reproduce:
1. Open Chrome.
2. To go Settings, Autofill and payments, Credit Cards.
3. Tap on "Add credit card".
4. Press Power and volume down to capture screenshot.
5. Confirm that a screenshot can be taken.
 
Cc: wuandy@chromium.org
Components: UI>Browser>Autofill>Payments
Labels: Security_Severity-Medium Security_Impact-Stable OS-Android Pri-1
Owner: rouslan@chromium.org
Status: Assigned
Project Member Comment 2 by sheriffbot@chromium.org, May 12
Labels: M-59
Status: Started
Cc: tedc...@chromium.org ma...@chromium.org gogerald@chromium.org
https://chromium-review.googlesource.com/c/504787/
Project Member Comment 5 by bugdroid1@chromium.org, May 15
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/416588f2ea472b4f9273cbd0e40c1d18f71d1cba

commit 416588f2ea472b4f9273cbd0e40c1d18f71d1cba
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Mon May 15 17:04:54 2017

Prevent screenshots of the card editor views.

Before this patch, users could take screenshots of the local credit card
editor views, which show the full card number in plain text. (Chrome
does not show the full number of the server cards.)

This patch adds a FLAG_SECURE to the window of the local card editors
for PaymentRequest and autofill. The flag is added for Chrome Beta and
Stable builds to protect regular users. Dev, Canary, and developer
builds do not have the FLAG_SECURE set.

After this patch, users cannot take screenshots of the local card
editor views in Chrome Beta and Stable.

Bug:  721579 
Change-Id: I82dcd7c83cec85fb3f8dd58aa7ab25c2826641d0
Reviewed-on: https://chromium-review.googlesource.com/504787
Reviewed-by: Ted Choc <tedchoc@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#471807}
[modify] https://crrev.com/416588f2ea472b4f9273cbd0e40c1d18f71d1cba/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/EditorView.java
[modify] https://crrev.com/416588f2ea472b4f9273cbd0e40c1d18f71d1cba/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/PaymentRequestUI.java
[modify] https://crrev.com/416588f2ea472b4f9273cbd0e40c1d18f71d1cba/chrome/android/java/src/org/chromium/chrome/browser/preferences/autofill/AutofillLocalCardEditor.java

Labels: Merge-Request-59
Project Member Comment 7 by sheriffbot@chromium.org, May 15
Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 8 by bugdroid1@chromium.org, May 15
Labels: -merge-approved-59 merge-merged-3071
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0ad491fdca26232f4edc8120121859209ebc5a0a

commit 0ad491fdca26232f4edc8120121859209ebc5a0a
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Mon May 15 18:53:52 2017

[Merge M-59] Prevent screenshots of the card editor views.

Before this patch, users could take screenshots of the local credit card
editor views, which show the full card number in plain text. (Chrome
does not show the full number of the server cards.)

This patch adds a FLAG_SECURE to the window of the local card editors
for PaymentRequest and autofill. The flag is added for Chrome Beta and
Stable builds to protect regular users. Dev, Canary, and developer
builds do not have the FLAG_SECURE set.

After this patch, users cannot take screenshots of the local card
editor views in Chrome Beta and Stable.

TBR=rouslan@chromium.org

(cherry picked from commit 416588f2ea472b4f9273cbd0e40c1d18f71d1cba)

Bug:  721579 
Change-Id: I82dcd7c83cec85fb3f8dd58aa7ab25c2826641d0
Reviewed-on: https://chromium-review.googlesource.com/504787
Reviewed-by: Ted Choc <tedchoc@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#471807}
Reviewed-on: https://chromium-review.googlesource.com/505531
Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/branch-heads/3071@{#559}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}
[modify] https://crrev.com/0ad491fdca26232f4edc8120121859209ebc5a0a/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/EditorView.java
[modify] https://crrev.com/0ad491fdca26232f4edc8120121859209ebc5a0a/chrome/android/java/src/org/chromium/chrome/browser/payments/ui/PaymentRequestUI.java
[modify] https://crrev.com/0ad491fdca26232f4edc8120121859209ebc5a0a/chrome/android/java/src/org/chromium/chrome/browser/preferences/autofill/AutofillLocalCardEditor.java

Status: Fixed
Project Member Comment 10 by sheriffbot@chromium.org, May 16
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Hi - is this bug eligible for the Chrome Rewards program?
Labels: reward-topanel
Thanks for your report. We'll consider your report under the Chrome Reward Program for a security cash reward - full details here: https://www.google.com/about/appsecurity/chrome-rewards/

We'll update you once we have a decision. Feel free to check in with me in a few weeks if you haven't heard back, either by updating this bug or reaching out to me at rouslan@chromium.org.
Cc: awhalley@chromium.org
Labels: Release-0-M59
Labels: -Security_Severity-Medium Security_Severity-Low
I'm afraid the VRP panel decided not to reward for this. Many thanks for the report, and while we did some hardening, the panel didn't believe this is inside our threat model.
Labels: CVE-2017-5082
Labels: -reward-topanel reward-0
Components: -UI>Browser>Autofill>Payments UI>Browser>Payments
Hi - at what point can we publicly disclose this? It looks like it got published in the changelog:
https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html

Thanks
Go ahead with the public disclosure, if you wish.
Comment 22 Deleted
Project Member Comment 24 by sheriffbot@chromium.org, Aug 22
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment