New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 5 users

Issue metadata

Status: WontFix
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug
Team-Security-UX



Sign in to add a comment

Site engagement can be gamed by tricking the user into many navigations

Reported by ma7h1a...@gmail.com, May 16 2017

Issue description

VERSION
Chrome Version:58.0.3029.110 stable
Operating System: Windows 10 enterprise

VULNERABILITY DETAILS
chrome version 58 disabled flash execution by default
if user want to use flash,he must click the flash area and confirm the notice window
to open it.
but this bug shows a way to make a redirection between two pages
without any notice to open it and make an attack.
need user iteract --- click jacking(make a small game)
click about 300 times and the flash could execute

REPRODUCTION CASE

please put them on a local webserver, i used apache + php
and use the new.html to performance this attack
the result.png shows the attack result
 
3.swf
786 bytes Download
index.html
14 bytes View Download
new.html
825 bytes View Download
x.html
109 bytes View Download
result.png
20.3 KB View Download
 Issue 722726  has been merged into this issue.
Components: Internals>Permissions>SiteEngagement Internals>Plugins>Flash
Summary: Security: chrome flash default-disabled bypass (was: Security: chrome flash default-disbaled bypass)
I /suspect/ this is a result of the fact that we don't really disable Flash by default, we instead disable Flash for most sites based on the site engagement score. See  Issue 699300 .

Comment 3 by wfh@chromium.org, May 16 2017

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Chrome OS-Linux OS-Mac OS-Windows Pri-2 Type-Bug
Summary: chrome flash default-disabled bypass (was: Security: chrome flash default-disabled bypass)
Site engagement score is specifically, by design, not a security barrier, so this is not a security bug.

The site engagement folks might be interested in addressing this gaming of the metric though, so leaving as a bug for now.

Comment 4 Deleted

Comment 5 Deleted

Comment 6 by ma7h1a...@gmail.com, May 16 2017

if the "engagement score" is used to do those things,then it is actually a security barrier
and once the attacker use it on a "low engagement score"
he could even only use a remote file with any extension(.jpg,the most common)
to make a flash-cross-domain-csrf and stolen user's important information

Comment 7 by adumail2@gmail.com, May 16 2017

Maybe what we should talk is the flash player is being enabled without any notifications to the user. This is the point, since once the flash player is enabled, payloads other than a CSRF is available to be deployed.

Personally I think this is a security vulnerability since it performs like a "primer" in the bullet. Waiting for a warhead to come is not a good idea.

Comment 8 by wfh@chromium.org, May 16 2017

 Issue 722941  has been merged into this issue.

Comment 9 by wfh@chromium.org, May 16 2017

it might be a functional bug to be able to game the site engagement service but this is not a security bug as the design for site engagement specifically states:

"Site engagement will never be used to silently grant privacy or security sensitive permissions." [1]

Flash might be running but the fact that Flash is running is not a security issue per se, since it's still running inside the Chrome sandbox and would require bugs to gain execution and escape that sandbox.

[1] https://docs.google.com/document/d/1GQE9gguqVMgXvR68jZyIsBhHVoAJb9m4fTn6omfqj4M/edit#heading=h.k4pjrzlnm098
ok,thanks for handle this problem.
although it just block some attacks by accident
hope it could be fixed
Status: Available (was: Unconfirmed)
Summary: Site engagement can be gamed by tricking the user into many navigations (was: chrome flash default-disabled bypass)
Navigation from link clicks does not generate any site engagement. The user needs to explicitly type in a URL in the omnibox or some other kind of more direct navigation in order to earn engagement from just visiting a URL.

If a site manages to get the user to interact with it sufficient, engagement will naturally go up (that's the whole definition of engagement really). So this is really working as intended: a site that manages to get a user to stay on it and interact it with for a while will naturally gain engagement.

If there's no other comments here, I'm going to WontFix this since it's working as intended.

Comment 13 by adumail2@gmail.com, Jun 20 2017

wait.

who renamed this issue?

the original issue seems "chrome flash default-disabled bypass (was: Security: chrome flash default-disabled bypass)"

rename it to something totally unrelated to security, and then WontFix it? Boring.
As mentioned in #3, "Site engagement score is specifically, by design, not a security barrier, so this is not a security bug."
Status: WontFix (was: Available)
WontFixing as per c#12. Please reopen if there are any more comments.

Sign in to add a comment