After granting permission to open popups, a site may DoS the browser by repeatedly opening popups
Reported by
office.c...@gmail.com,
Jul 22 2017
|
||||||
Issue descriptionVULNERABILITY DETAILS It is not a powerful vulnerability in terms of stealing data or memory corruption, but trust me, you would not want this to happen to your browser. Basically, once you fool the user into allowing the pop-up generated by this rather fetching page that asks you to enable notifications, the user's browser will be clogged. The browser will start opening tabs over and over and over again and refresh the page making it impossible to access the tabs and to access the address bar. Closing the browser won't help. When you open it back, it goes back to the same exploit page and starts refreshing and re-opening the same page in new tabs very rapidly. Clearing cache is also ineffective. The only way to fix the browser after that is to completely remove all data including accounts, saved passwords and history and bookmarks. Real World USAGE: One of the intrusive ads companies can use this maliciously by fooling the user into allowing the popup by telling him there are notifications available. How it works? Basically Chrome does not block window.open and window.location.reload which can be used to create a script that loads when the page loads. On iOS, safari seems immune. VERSION Chrome Version: 55.0.2883.91 Operating System: Android 7.0 REPRODUCTION CASE You can reproduce the bug by going to https://fce365.info/exploit.html and allowing a pop-up once. RESEARCHER: GeoSn0w (@FCE365) of F.C.E. 365 Additional info: I am not looking for a bounty, I know this is not qualifying for one, just wanted to let you know, maybe you can add some protection for this before a malicious ad starts using it.
,
Jul 24 2017
Yes, the trick is that you customize a page so well that you make it look like the page is legit and tries to show some real info but the browser blocked it. On my Moto G4 running Android 7.0, it is all a matter of a blue button on the bottom. You instruct the untrained user to click it, and once he does, he won't be able to stop the script without removing all Chrome data in Settings.
,
Jul 24 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 24 2017
I've also tested on Safari, iOS 10.3.2 and apparently, safari won't load the page at all. A bit of a look up reveals the fact that safari does not accept window.open commands (or any similar command that would start multiple windows). P.S. You've mentioned CTRL + W, but on Android that is not possible, is it?
,
Jul 24 2017
We're currently rethinking the permissions for popups (see issue 82362) - that would probably also address this issue
,
Jul 24 2017
timloh@, is this a duplicate of issue 82362?
,
Jul 24 2017
This one is not about pop ups that show up after user blocks all pop ups. In this scenario we assume the user did not fiddle with that setting and the browser just blocked a casual pop up. timloh@, Sure, no big deal, just thought I should let you know because those ads are getting as nasty as it gets lately.
,
Jul 27 2017
A few thoughts: - You can probably turn off data to stop this (or be somewhere with a slow enough connection; it's easy enough to close the latest tab with my connection) - Have you seen this on actual websites? I'm not sure what a website would get out of doing this. - Maybe we should change the infobar to be [Always Show] [Show], or [Don't Show] [Show] with a persist toggle. It's not clear to me why we don't support opening a pop-up without saving the setting on mobile.
,
Jul 31 2017
I tell you what they get, they open multiple pop-ups with ads (of course, deceptive ads that pay for impression not for clicks) and get paid. I think we should not allow window.open at all to work in the browser as it can be used to spawn these pop-ups and most of the deceptive ads that open themselves while you click links or menus on websites are making use of this window.open What do you think?
,
Feb 7 2018
Unassigning myself since I haven't had and probably won't have time to look at this. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by elawrence@chromium.org
, Jul 22 2017Labels: Needs-Feedback
Summary: Security: After granting permission to open popups, a site may open many popups. (was: Security: Clogging the browser and making it unusable unless all data is removed.)