New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Closed: Aug 2017
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security

Sign in to add a comment

Issue 732751: Security: Referer leakage in chrome debug protocol

Reported by, Jun 13 2017

Issue description

There is referer leakage in built in Chrome chrome-devtools-frontend which can allow attacker to access the instance of Chrome remote protocol.

Chrome Version: 59.0.3071.86 (Official Build) (64-bit)
Operating System: MacOS Siera 10.12.1

First of all we need to run an instance of headless Chrome with this command:
/Applications/Google\\ Chrome  --remote-debugging-port=9222 --incognito --headless --disable-gpu

After that we need to go to attacker site using headless Chrome by going to such url:

Attacker site must to console.log some link to attacker HTTPS site

If user will click it, attacker would be available to get Referer of chrome-devtools-frontend with leaked ws GET parameter in it. After that attacker can close tab with chrome-devtools-frontend using opener.location and will be able to access the instance of remote protocol via JavaScript using websoccket connection and access user files (CHECKED) or maybe something worse (NOT CHECKED:).

I am currently making PoC. I will try to make it as soon as possible, guys.

Comment 1 by, Jun 13 2017

Components: Platform>DevTools>Platform

Comment 2 by, Jun 13 2017

Labels: Security_Severity-Low Security_Impact-Stable M-61 OS-Chrome OS-Linux OS-Mac OS-Windows Pri-2
Status: Assigned (was: Unconfirmed)
dgozman, can you please take a look? I'm not sure what the "ws GET parameter" is so I'm not sure how severe this is. I'm tentatively assigning Low severity because of the user interaction involved. Nevertheless it seems like it would be a good idea to not include Referer headers from links clicked in DevTools.

Comment 4 by, Jun 13 2017

Video PoC
9.4 MB Download

Comment 5 by, Jun 13 2017

Here is also code of PoC made on nodejs and express
3.1 KB View Download

Comment 6 by, Jun 13 2017

I think a good idea is not to include address of websocket in URL.
Maybe it should sent over POST request?

Comment 7 by, Jun 13 2017

Hmm... Interesting. Although requiring a flag means no real exposure (per Chrome policy), this is worth fixing anyway.

Andrey, mind taking a look?

Comment 8 by, Jun 13 2017

Better main.js code
3.1 KB View Download

Comment 9 by, Jun 19 2017

Guys, can I remove web PoC from internet (
Or it should stay online for now?

Comment 10 by, Aug 14 2017

Guys, is it bug bounty applicable or something like that one?

Comment 11 by, Aug 15 2017


Comment 12 by, Aug 15 2017

RE: #10: The Chrome Vulnerability Rewards team evaluates issues after the fix has landed. In general, issues of Low Severity are not awarded, but there are exceptions for especially interesting vulnerabilities.

Comment 13 by, Aug 15 2017

Project Member
The following revision refers to this bug:

commit a8ef19900d003ff7078fe4fcec8f63496b18f0dc
Author: Dmitry Gozman <>
Date: Tue Aug 15 16:49:52 2017

[DevTools] Use no-referrer for DevTools links

Bug:  732751 
Change-Id: I77753120e2424203dedcc7bc0847fb67f87fe2b2
Reviewed-by: Andrey Kosyakov <>
Commit-Queue: Dmitry Gozman <>
Cr-Commit-Position: refs/heads/master@{#494413}

Comment 14 by, Aug 15 2017

Status: Fixed (was: Assigned)
Thanks for bringing attention to this. It slipped off our radar. I think it should be fixed now. Mind checking on your end?

Comment 15 by, Aug 15 2017

It looks like fixed from my side.

Comment 16 by, Aug 16 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 17 by, Aug 28 2017

Labels: reward-topanel

Comment 18 by, Sep 1 2017

Labels: -reward-topanel reward-0
Hello watashiwaher@.  I'm sorry to say the VRP panel decided not to award for this bug, citing the amount of victim interaction needed, and the unlikelihood of the scenario.

If you could describe how this could be used to attack users in a less niche scenario we'd be willing to take another look.  Thanks!

Comment 19 by, Sep 1 2017

(Note that it will be getting a CVE assigned when M61 goes stable)

Comment 20 by, Sep 2 2017

There is one more scenario, where you don't need to click a link.
But you should probably open Network tab.

Comment 21 by, Sep 2 2017

I found elegant solution without interacting:

You just need to:

console.log('%c       ', 'font-size: 100px; background: url( no-repeat;');

And image will be directly loaded from your tab (and referer will leak, I checked)

If you need some PoCs or somelike like that, ask me
Screen Shot 2017-09-02 at 11.16.25.png
148 KB View Download

Comment 22 by, Sep 2 2017

Actually console is open every time in chrome dev tools for most of users (bottom part actually), and request will be sent.

Comment 23 by, Sep 2 2017

More dumb solution that I mentioned, is to send 404 error page with image inside it.
Screen Shot 2017-09-02 at 11.24.15.png
80.0 KB View Download

Comment 24 by, Sep 5 2017

Labels: -M-61 M-62

Comment 25 by, Sep 17 2017

Is it still bad bug ? :O

Comment 26 by, Oct 16 2017

Labels: Release-0-M62

Comment 27 by, Oct 18 2017

Labels: CVE-2017-15393

Comment 28 by, Nov 22 2017

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 29 by, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment