New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Blocking:
issue 772433



Sign in to add a comment

Security: Autocomplete data can be stolen by malicious webpage

Reported by stoned...@gmail.com, Aug 9 2017

Issue description



VULNERABILITY DETAILS
Chrome autocomplete data (e.g. email addresses) can be stolen by a malicious webpage, if the page can convince the user to hold down the 'up' or 'down' arrow key for a few seconds (maybe by playing a game). This works even in Incognito mode.

Pressing the up/down arrow key in a form field causes the autocomplete popup to appear. Pressing the key again causes entries to be selected and the value to appear in the form field. This is done using Shadow DOM, so the value shouldn't be accessible until the user actually chooses a value (e.g. by hitting enter or clicking it). However, doing setSelectionRange(0,0) to clear the selection, followed by execCommand('insertText', null, ' ') causes the the shadow DOM value to be modified and placed into the .value field of the input. 

The autocomplete popup can be moved by changing the position of the input field. I've had limited success with moving it offscreen. On Ubuntu it seems be fully hidden if the browser is not maximised. On Windows it sometimes partially renders if the browser is not maximised.

VERSION
Chrome Version: 62.0.3179.0 (Canary)
Operating System: Windows 10, Ubuntu 16.04

REPRODUCTION CASE
Open the attached file and hold down either the 'up' or 'down' arrow key (you can also just tap the key repeatedly). If you have email addresses in your autocomplete data, they should be shown on the page. If you click the hide button first, the page will attempt to hide the autocomplete popup. As I mentioned above this seems to work in incognito mode. 



 
steal.html
1.3 KB View Download
I've also put the PoC at http://dev.jigawatt.co.uk/dev/autocomplete/steal.html 
Here's a version that grabs credit card details across multiple fields (also works in Incognito). You could probably also grab address data like this too. 
cardsteal.html
1.9 KB View Download
Here's a form for saving test credit card data if you need it.
card.html
542 bytes View Download
And hosted PoCs if you want (obvs don't use real card data!):
https://www.stonie.co.uk/autocomplete/cardsteal.html
https://www.stonie.co.uk/autocomplete/cards.html

Comment 5 by kenrb@chromium.org, Aug 9 2017

Cc: kenrb@chromium.org palmer@chromium.org
Components: UI>Browser>Autofill
Status: Untriaged (was: Unconfirmed)
Thanks for the report.

I think this might just be a duplicate of issue 448539, where we want to make it so that hidden fields don't get autofilled.

It's a little disconcerting that the page can get the data without the user actually selecting it. On the one hand if the page has induced the user to bring up and scroll through the autofill suggestions, it can probably also get the user to press enter and populate the fields. On the other, I think we have a general expectation that you need to select an autofill option before it becomes available to JavaScript, and at least on my part I didn't know it was possible to get it right out of the bubble.

Adding palmer@ for any thoughts on that.
Labels: Security_Severity-Medium Security_Impact-Stable M-62 Pri-2
Owner: f...@chromium.org
Status: Assigned (was: Untriaged)
felt, can you suggest someone on your autofill team to take a look at this?
Labels: OS-All
Cc: est...@chromium.org
estark is the Enamel TL. It sounds like we need to fill the form fields not on arrow (or mouseover), but on *select* (Enter or click).

Comment 9 by kenrb@chromium.org, Aug 9 2017

re comment#8: It sounds like that is generally the behavior, but the PoC gets around it with the following lines, to cause the value to populate into the normal DOM:
field.setSelectionRange(0,0);
var result = document.execCommand('insertText', false, ' ');
A more appropriate title for this bug might be 'Autocomplete data can be stolen via Shadow DOM leak'. I'm not sure if there are other places where sensitive data is held inside text fields using Shadow DOM - but if so, they would be vulnerable too.

I think another difference from issue 448539 is that lots of data can be stolen fairly rapidly with a single user gesture. Without this bug, an attacker would have to convince a user to type 'down, down, enter', then 'down, down, down, enter' and so on.
Project Member

Comment 11 by sheriffbot@chromium.org, Aug 10 2017

Labels: -Pri-2 Pri-1

Comment 12 by f...@chromium.org, Aug 21 2017

Owner: rogerm@chromium.org
Hi Roger, can you have a look at this?
Project Member

Comment 13 by sheriffbot@chromium.org, Aug 23 2017

rogerm: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: rogerm@chromium.org
Owner: se...@chromium.org
Seb, I'm OOO with no computer for another week, do you have some cycles to look at this? If not, I can look at it once I'm back from vacation.

There's another bug about chrome failing to fill shadow dom elements, which is an interesting twist on this.

Comment 15 by se...@chromium.org, Aug 24 2017

Looking now.

Comment 16 by se...@chromium.org, Aug 25 2017

Cc: tkent@chromium.org
I digged into the code to "preview" autofill suggestions and I arrived at this: The SetSuggestedValue of the HTMLInputElement class in WebKit (link at the bottom).

tkent@ are you familiar with this part of the code? I would appreciate any pointers you might have. Thanks!

* https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/html/HTMLInputElement.cpp?sq=package:chromium&dr=CSs&l=1063

Comment 17 by tkent@chromium.org, Aug 27 2017

Cc: yosin@chromium.org
Autofill team added the concept of 'suggested value' to HTMLInputElement, and I'm not so familiar with it.


Probably, we should disabled all of editing operations to a text field while it has a suggested value. Or we should show autofill preview values as 'placeholder' text instead of a kind of 'value'.

+yosin, who is an editing expert.

Comment 18 by se...@chromium.org, Aug 28 2017

Cc: ma...@chromium.org zkoch@chromium.org
Labels: -Pri-1 Pri-0
Thanks tkent@!

yosin@ can you please advise when you can?

Thanks

Comment 19 by se...@chromium.org, Aug 28 2017

You can also "repro" the bug manually.

Steps:

- Preview an autofill value in a field (ex https://rsolomakhin.github.io/autofill/)

- Use the left arrow key to put the cursor on the left of the input field.

- Press the "space" key, or any other. 

In this case the action is taken by the user, so it makes sense to set the field's value. The bug is triggering the same behavior programmatically.
Cc: -palmer@chromium.org

Comment 21 by se...@chromium.org, Aug 28 2017

Here are some updates of my investigation:

When an Autofill suggestion is previewed/suggestion, it is selected entirely in the originating field.

By changing the selection range (field.setSelectionRange(0,0);), the previewed value becomes unselected and thus will not be overwritten if the user types.

Then when the space is inserted (document.execCommand('insertText', false, ' ');), InsertTextCommand::DoApply(*1) is called. What is surprising there is that the space is inserted in the previewed value. 

Then, since this is a change that originates from the user side (vs browser side) this new value is set as the field's value, thus it is accessible in the DOM.


I am really surprised that when the space is inserted, it gets inserted in the suggested value. It seems like the data_ attribute of the Text object(*2) contains the suggested value of the field.

*1: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/editing/commands/InsertTextCommand.cpp?dr=CSs&q=inserttextcommand&sq=package:chromium&l=255

*2: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/CharacterData.cpp?type=cs&sq=package:chromium&l=93

Comment 22 by yosin@chromium.org, Aug 29 2017

TL;DR: To preview suggested value like placehold == do not hold suggested value in inner editor

I suggest to introduce suggested value element in shadow DOM tree like placeholder.
The content in inner editor of text control is exposed scripts and scripts can
access someway, e.g. execCommand, copy to clipboard.

Comment 23 by se...@chromium.org, Aug 29 2017

Labels: -Pri-0 ReleaseBlock-Stable Pri-1
After some investigation I don't think I could realistically make a good change guaranteed to be correct in time for M-62 (including the merge window)

Do you think you guys could take it on? 

Comment 24 by zkoch@chromium.org, Aug 29 2017

This is definitely a candidate for merge post branch. Yosin, let us know if this is something you can tackle quickly. Thanks!

Comment 25 by yosin@chromium.org, Aug 30 2017

Addition to #c22, the element for suggested value in UA shadow tree is used only
for previewing value.

Once user commits, by user action, previewed suggested value should be copied
into inner editor.

#c23, Do you think you guys could take it on? 
No, we don't have enough bandwidth.

Since it seems the change is not small, == too short for canary testing,
fix should be in M-63.





I disagree about M63 timeline. This is pretty serious as it exposes credit cards without user consent. We should be aggressive about merge ASAP.
+! to comment 26. We should get a fix landed ASAP and then evaluate the feasibility of a merge; we shouldn't delay a fix on the assumption that it won't be mergeable.
Status: Started (was: Assigned)
It's being actively worked on by sebsg@ for M62.
Cc: vasi...@chromium.org
+ vasilii@
Project Member

Comment 30 by bugdroid1@chromium.org, Oct 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb

commit 0727466e09c7285f3c4fe6a7974bfc68fd9bbccb
Author: sebsg <sebsg@chromium.org>
Date: Mon Oct 02 19:57:41 2017

[Autofill] Use ShadowDom placeholder to preview suggestions.

Bug:  753645 
Change-Id: Idabb4d01b45aa08a71f9fc8ad1dd89b192cfb0c5
Reviewed-on: https://chromium-review.googlesource.com/646754
Commit-Queue: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Reviewed-by: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#505743}
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/chrome/renderer/autofill/form_autofill_browsertest.cc
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/chrome/renderer/autofill/password_autofill_agent_browsertest.cc
[add] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/LayoutTests/fast/forms/javascript-cannot-access-suggested-value.html
[add] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-empty-suggested-value-expected.txt
[add] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-empty-suggested-value.html
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-setvalue-expected.txt
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-setvalue.html
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/LayoutTests/fast/forms/suggested-value-expected.txt
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/LayoutTests/fast/forms/text/input-appearance-autocomplete-expected.html
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/LayoutTests/platform/win7/fast/forms/suggested-value-expected.txt
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/Source/core/html/HTMLInputElement.cpp
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/Source/core/html/HTMLInputElement.h
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/Source/core/html/HTMLTextAreaElement.cpp
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/Source/core/html/HTMLTextAreaElement.h
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/Source/core/html/TextControlElement.cpp
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/Source/core/html/TextControlElement.h
[modify] https://crrev.com/0727466e09c7285f3c4fe6a7974bfc68fd9bbccb/third_party/WebKit/Source/core/html/forms/TextFieldInputType.cpp

Project Member

Comment 31 by bugdroid1@chromium.org, Oct 3 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c28f832f0c87926662c1b9f7965fd7dd19d6b239

commit c28f832f0c87926662c1b9f7965fd7dd19d6b239
Author: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Date: Tue Oct 03 12:40:55 2017

Revert "[Autofill] Use ShadowDom placeholder to preview suggestions."

This reverts commit 0727466e09c7285f3c4fe6a7974bfc68fd9bbccb.

Reason for revert: Makes some passwords be visible when suggested to the user.

Bug:  771097 


Original change's description:
> [Autofill] Use ShadowDom placeholder to preview suggestions.
> 
> Bug:  753645 
> Change-Id: Idabb4d01b45aa08a71f9fc8ad1dd89b192cfb0c5
> Reviewed-on: https://chromium-review.googlesource.com/646754
> Commit-Queue: Sebastien Seguin-Gagnon <sebsg@chromium.org>
> Reviewed-by: Kent Tamura <tkent@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#505743}

TBR=yosin@chromium.org,tkent@chromium.org,sebsg@chromium.org

Change-Id: I3a874ea052f598724831bdfcf0e16576a09353b4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  753645 
Reviewed-on: https://chromium-review.googlesource.com/697644
Reviewed-by: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Commit-Queue: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#506011}
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/chrome/renderer/autofill/form_autofill_browsertest.cc
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/chrome/renderer/autofill/password_autofill_agent_browsertest.cc
[delete] https://crrev.com/86b13b4626266c45ee364474bcf86208d4e2e4a2/third_party/WebKit/LayoutTests/fast/forms/javascript-cannot-access-suggested-value.html
[delete] https://crrev.com/86b13b4626266c45ee364474bcf86208d4e2e4a2/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-empty-suggested-value-expected.txt
[delete] https://crrev.com/86b13b4626266c45ee364474bcf86208d4e2e4a2/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-empty-suggested-value.html
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-setvalue-expected.txt
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-setvalue.html
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/LayoutTests/fast/forms/suggested-value-expected.txt
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/LayoutTests/fast/forms/text/input-appearance-autocomplete-expected.html
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/LayoutTests/platform/win7/fast/forms/suggested-value-expected.txt
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/Source/core/html/HTMLInputElement.cpp
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/Source/core/html/HTMLInputElement.h
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/Source/core/html/HTMLTextAreaElement.cpp
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/Source/core/html/HTMLTextAreaElement.h
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/Source/core/html/TextControlElement.cpp
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/Source/core/html/TextControlElement.h
[modify] https://crrev.com/c28f832f0c87926662c1b9f7965fd7dd19d6b239/third_party/WebKit/Source/core/html/forms/TextFieldInputType.cpp

Labels: -ReleaseBlock-Stable -M-62 M-63
Blocking: 772433
Project Member

Comment 34 by bugdroid1@chromium.org, Oct 19 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/962a26fe7d0355903d4c2721faddcbe51e0ee45c

commit 962a26fe7d0355903d4c2721faddcbe51e0ee45c
Author: sebsg <sebsg@chromium.org>
Date: Thu Oct 19 01:30:20 2017

[Autofill] Use ShadowDOM placeholder to preview suggestions.

The first patch is a re-upload of
https://chromium-review.googlesource.com/c/chromium/src/+/646754

The follow-up patches will add some modifcations on how we preview
username and password suggestions.

The suggestions will be in black text, and the password suggestions
should be hidden behind dots.

Bug:  753645 
Change-Id: I1d28ea47f443fc40a1cddf2cdef6b1ec86c4491e
Tbr: tkent@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/702056
Commit-Queue: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Reviewed-by: Roger McFarlane <rogerm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509961}
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/chrome/renderer/autofill/form_autofill_browsertest.cc
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/chrome/renderer/autofill/password_autofill_agent_browsertest.cc
[add] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/LayoutTests/fast/forms/javascript-cannot-access-suggested-value.html
[add] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-empty-suggested-value-expected.txt
[add] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-empty-suggested-value.html
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-setvalue-expected.txt
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/LayoutTests/fast/forms/suggested-value-after-setvalue.html
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/LayoutTests/fast/forms/suggested-value-expected.txt
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/LayoutTests/fast/forms/text/input-appearance-autocomplete-expected.html
[add] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/LayoutTests/fast/forms/text/password-input-suggested-value-appearance-expected.html
[add] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/LayoutTests/fast/forms/text/password-input-suggested-value-appearance.html
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/LayoutTests/platform/win7/fast/forms/suggested-value-expected.txt
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/Source/core/css/html.css
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/Source/core/html/forms/HTMLInputElement.cpp
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/Source/core/html/forms/HTMLInputElement.h
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/Source/core/html/forms/HTMLTextAreaElement.cpp
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/Source/core/html/forms/HTMLTextAreaElement.h
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/Source/core/html/forms/TextControlElement.cpp
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/Source/core/html/forms/TextControlElement.h
[modify] https://crrev.com/962a26fe7d0355903d4c2721faddcbe51e0ee45c/third_party/WebKit/Source/core/html/forms/TextFieldInputType.cpp

Comment 35 by se...@chromium.org, Oct 30 2017

Labels: -M-63 M-64
Status: Fixed (was: Started)
Labels: reward-topanel
Project Member

Comment 37 by sheriffbot@chromium.org, Oct 31 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Nice one! The VRP panel has rewarded $1,000 for this. Also, how would you like to be credited in release notes?  Cheers!
Thanks! Could you credit me as: Paul Stone of Context Information Security
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 42 by sheriffbot@chromium.org, Dec 15 2017

Labels: Merge-Request-64
Project Member

Comment 43 by sheriffbot@chromium.org, Dec 15 2017

Labels: -Merge-Request-64 Hotlist-Merge-Review Merge-Review-64
This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 44 by se...@chromium.org, Dec 15 2017

Labels: -Hotlist-Merge-Review -Merge-Review-64
I don't know why the merge request was added, it should have landed in M-64 initially.
Labels: Release-0-M64
Labels: CVE-2018-6037
Project Member

Comment 47 by sheriffbot@chromium.org, Feb 6

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-missing

Sign in to add a comment