Security: Take pointer lock without showing "Press Esc to show your cursor" (lock, unlock, relock) |
|||||||||
Issue descriptionVULNERABILITY DETAILS A web page can enter pointer lock without showing the "Press Esc" bubble (which is considered a security surface). It takes advantage of the so-called "silent mouse lock", the deliberate logic that suppresses the bubble if a site voluntarily releases the lock, then acquires it again. The way this is *supposed* to work is this: 1. Site takes pointer lock. "Press Esc to show your cursor" is shown. 2. User reads the prompt and uses the site for awhile. 3. Site voluntarily relinquishes the lock. 4. Later, the site takes the lock again. No bubble is shown; the first is considered sufficient. This is to facilitate sites that switch back and forth between the two modes a lot, such as games that use the mouse for menus but lock the mouse during gameplay. The exploit is to remove Step 2 by immediately relinquishing the lock, causing the bubble to vanish before the user can read it. Therefore: 1. Call requestPointerLock(). The bubble starts animating in. 2. After a short timeout (e.g., 20s), call exitPointerLock(). The bubble is deleted before the user sees it. 3. After a short timeout (e.g., 20s), call requestPointerLock() again. No bubble is shown. I swear this has been reported before, but I can't find it, so I recreated the repro. Related (but different attack): Issue 724967 VERSION Chrome Version: 60 (r471643); likely goes back years. Operating System: Linux 14.04 REPRODUCTION CASE HTML attached. 1. Open page. 2. Click the button.
,
May 23 2017
,
May 23 2017
Setting to Sev-Medium for consistency with issue 724967. We might want to re-evaluate that later, though. I don't know that there are particularly concerning attack scenarios with this.
,
May 23 2017
Pointer lock is not a security or privacy threat. Pointer lock is a UX issue. Data can not be revealed, distributed, etc. This was established in 2011 and occasionally needs to be recirculated. I've brought this up on relevant email thread, will give that time to be addressed, and then clear the security flags from these issues.
,
May 24 2017
,
May 24 2017
,
May 24 2017
,
May 25 2017
Talked with dtapuska@, the plan is to: 1. Move the silent flag to renderer host 2. Don't update the flag if the bubble was dismissed by JS (e.g. Only set the flag to false after bubble's timeout or dismiss gestures if any) This should mitigate issue 725365 as well. Will start implementing it and see how it works.
,
May 26 2017
Clearing security flags. Unexpected mouse lock can be a user annoyance, and this can be considered a denial of service bug, but since that is the extent of exposure we don't consider it a security vulnerability. https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs-
,
Aug 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7a437eb901b1e00533251a69c5e4f5223b7ad609 commit 7a437eb901b1e00533251a69c5e4f5223b7ad609 Author: Chong Zhang <chongz@chromium.org> Date: Fri Aug 04 16:13:47 2017 [PointerLock] Add a callback when |ExclusiveAccessBubble| finished displaying For better silent mouse logic we need to know when the pointer lock bubble has finished displaying. Behavior Change: No. Next CL will update silent mouse lock logic. Code Change: This CL adds a callback |ExclusiveAccessBubbleHideCallback| when it finished displaying, and the hide reason |ExclusiveAccessBubbleHideReason| could be: 1. |kNotShown|: The bubble was never shown. e.g. View destroyed before the bubble could be shown. 2. |kInterrupted|: The bubble hasn't been displayed long enough. e.g. User pressed ESC, or script called |exitPointerLock()|. 3. |kTimeout|: The bubble has been displayed for some time and dismissed by the timer. Silent Mouse Lock Logic Plan: Store the last |WebContents*| inside |MLC| if it's bubble has been dismissed by the timer (|kTimeout|). Allow silent mouse lock if the |WebContents*| is current and |last_unlocked_by_target|. Design Doc: https://docs.google.com/a/chromium.org/document/d/1DuZDnpxx8zppVl9IY__teeMnJ3Vbwgds1gAps1vqU3U/edit?usp=sharing Bug: 725370 Change-Id: If5d3733542dbe3b8c22b5078ce3ef4c960101594 Reviewed-on: https://chromium-review.googlesource.com/562620 Commit-Queue: Chong Zhang <chongz@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Reviewed-by: Trent Apted <tapted@chromium.org> Reviewed-by: Vincent Scheib <scheib@chromium.org> Cr-Commit-Position: refs/heads/master@{#492045} [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/BUILD.gn [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/browser_command_controller_unittest.cc [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/cocoa/browser/exclusive_access_controller_views.h [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/cocoa/browser/exclusive_access_controller_views.mm [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/exclusive_access_bubble.cc [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/exclusive_access_bubble.h [add] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/exclusive_access_bubble_hide_callback.h [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/exclusive_access_context.h [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/exclusive_access_manager.cc [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/exclusive_access_manager.h [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/fullscreen_controller.cc [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/fullscreen_controller_browsertest.cc [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/fullscreen_controller_state_unittest.cc [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/fullscreen_controller_test.cc [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/fullscreen_controller_test.h [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/mouse_lock_controller.cc [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/exclusive_access/mouse_lock_controller.h [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/views/exclusive_access_bubble_views.cc [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/views/exclusive_access_bubble_views.h [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/views/frame/browser_view.cc [modify] https://crrev.com/7a437eb901b1e00533251a69c5e4f5223b7ad609/chrome/browser/ui/views/frame/browser_view.h
,
Aug 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/36884630897ee5bbf6d55f97b1c257c258e31e39 commit 36884630897ee5bbf6d55f97b1c257c258e31e39 Author: Chong Zhang <chongz@chromium.org> Date: Thu Aug 17 20:02:30 2017 [PointerLock] Only allow silent mouse lock after bubble timeout This patch adds |web_contents_with_silent_mouse_lock_permission_| in |MouseLockController| to recored the last |WebContents| that is allowed to lock mouse silently. The variable is updated when a |WebContents| locked mouse and let the exit instruction bubble being display until timeout. |MLC::RequestToLockMouse()| will lock mouse silently iff. the requestor has permission and is last unlocked by target/script. Bug: 725370 Change-Id: Ic4dad8eb9b297ceb54e0271877772835e5410d40 Reviewed-on: https://chromium-review.googlesource.com/607408 Commit-Queue: Chong Zhang <chongz@chromium.org> Reviewed-by: Dave Tapuska <dtapuska@chromium.org> Reviewed-by: Vincent Scheib <scheib@chromium.org> Cr-Commit-Position: refs/heads/master@{#495291} [modify] https://crrev.com/36884630897ee5bbf6d55f97b1c257c258e31e39/chrome/browser/ui/exclusive_access/exclusive_access_bubble.h [modify] https://crrev.com/36884630897ee5bbf6d55f97b1c257c258e31e39/chrome/browser/ui/exclusive_access/fullscreen_controller_browsertest.cc [modify] https://crrev.com/36884630897ee5bbf6d55f97b1c257c258e31e39/chrome/browser/ui/exclusive_access/fullscreen_controller_interactive_browsertest.cc [modify] https://crrev.com/36884630897ee5bbf6d55f97b1c257c258e31e39/chrome/browser/ui/exclusive_access/fullscreen_controller_test.cc [modify] https://crrev.com/36884630897ee5bbf6d55f97b1c257c258e31e39/chrome/browser/ui/exclusive_access/fullscreen_controller_test.h [modify] https://crrev.com/36884630897ee5bbf6d55f97b1c257c258e31e39/chrome/browser/ui/exclusive_access/mouse_lock_controller.cc [modify] https://crrev.com/36884630897ee5bbf6d55f97b1c257c258e31e39/chrome/browser/ui/exclusive_access/mouse_lock_controller.h
,
Aug 17 2017
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by mgiuca@chromium.org
, May 23 2017738 bytes
738 bytes View Download