Directory Picker UI makes file jacking attack more feasible
Reported by
saurabh....@gmail.com,
Nov 2 2017
|
||||||
Issue description
VULNERABILITY DETAILS
The name of button for folder upload is not UPLOAD. This makes file jacking attack more feasible. The button should be named as upload. This will make users think that he is uploading the file instead of downloading the files. Hence, mass users will be saved from this attack. Please see the attachment for more details.
VERSION
Chrome Version: [61.0.3163.100] + [stable]
Operating System: [Windows, 10, Home]
REPRODUCTION CASE
Host a website with following HTML code. Click on download button and observe.
<h2>Click the folder location where you want the movies to be <div id="sa">downloaded!!</h2>
<form method="post" enctype="multipart/form-data">
<input type="file" name="files[]" id="files" multiple="" directory="" webkitdirectory="" mozdirectory="">
<input class="button" id="button1" type="submit" value="Download" />
</form>
</html>
,
Nov 8 2017
Unfortunately it looks like this is a system dialog and outside Chrome's control, so I don't think there's anything we can do.
,
Nov 8 2017
On Windows at least, it looks like we may be able to override this text via BFFM_SETOKTEXT. I think we should let the Directory owners triage.
,
Nov 8 2017
The Windows code is here: https://cs.chromium.org/chromium/src/ui/shell_dialogs/select_file_dialog_win.cc?l=374&rcl=cd2a25867d1d5bcfb723db453e56361b5dea18ee Elsewhere, we see that GTK's code (https://cs.chromium.org/chromium/src/chrome/browser/ui/libgtkui/select_file_dialog_impl_gtk.cc?l=340&rcl=cd2a25867d1d5bcfb723db453e56361b5dea18ee) uses a custom string IDS_SELECT_UPLOAD_FOLDER_DIALOG_UPLOAD_BUTTON (default value of "Upload") as the button text, so changing the Windows code ought not even require a new localization.
,
Nov 8 2017
And even if we don't control the dialog, we can still add heuristics around the dialog to check if the user was able to view it for a reasonable amount of time. E.g. If time delta between opening the dialog and receiving a result is less than <500ms, ignore the result.
,
Nov 8 2017
I think comment #5 was meant for Issue 637098 .
,
Nov 11 2017
I would like to mention two points: 1. This is a security issue, yet publicly visible bug report. I could see it without logging in by directly going to this URL: https://bugs.chromium.org/p/chromium/issues/detail?id=780881#c2 2. This dialog box is under the control of browsers. I am adding a screenshot with this comment that will compare Firefox and Chrome. Firefox will control the name of button but chrome will not. Hence we can come to conclusion that it is under browser's control.
,
Nov 11 2017
re #7: 1. Publicly disclosed vulnerabilities are not view restricted, and view restricting this doesn't protect anyone. This is not really a vulnerability, per-se. 2. Firefox isn't using the platform's folder selection dialog as Chrome does. As noted in #3, however, we can control the button text, although I think it not especially more likely that the user will read the text of the button than the sentence preceding the folder list.
,
Nov 11 2017
re# 8 1. I wanted to know why this is not a security issue. Is it a functional issue according to you?
,
Nov 11 2017
Re #9: The request here is a UI improvement which may decrease the likelihood of the user inadvertently leaking their own data. It's not considered a |vulnerability| in terms of how Chrome tracks issues (https://chromium.googlesource.com/chromium/src/+/master/docs/security/severity-guidelines.md).
,
Nov 11 2017
On ChromeOS, the dialog title is "Select a folder to upload" and the button text is "Upload". On Mac, there's no title, but the button text is "Upload". On Android and iOS, there's no UI text at all, although I'm not sure if the attribute is even supported (as the UI looks the same as the usual "Choose a file" dialog). So this is an issue for Windows and /maybe/ Linux. The Windows patch looks pretty straightforward.
,
Nov 15 2017
ok
,
Nov 17 2017
This is indeed a pretty small change to make.
if (message == BFFM_INITIALIZED) {
SendMessage(window, BFFM_SETOKTEXT, 0,
(LPARAM)l10n_util::GetStringUTF16(
IDS_SELECT_UPLOAD_FOLDER_DIALOG_UPLOAD_BUTTON).c_str());
}
I think we should also OR in the BIF_NONEWFOLDERBUTTON flag to browse_info.ulFlags, because there isn't a scenario where uploading a new empty folder makes any sense.
,
Dec 13 2017
elawrence@ - are you going to push forward with the change for Windows?
,
Dec 13 2017
Re #14: I have an in-progress CL at https://chromium-review.googlesource.com/c/chromium/src/+/777681 but this is a pretty low priority for me. Feel free to steal.
,
Dec 13 2017
Re #11: Linux matches ChromeOS, so we only need this change on Windows.
,
Dec 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5e0baf43250c2b2189bf24b106628210aa85379b commit 5e0baf43250c2b2189bf24b106628210aa85379b Author: Eric Lawrence <elawrence@chromium.org> Date: Wed Dec 13 23:58:50 2017 Set Folder Upload prompt's button text On Windows, the folder upload prompt previously used "OK" as the default button text, leading to the possibility that the user would not understand that their selected folder would be uploaded to the server. This CL matches other platforms and uses a localized string ("Upload") as the text of the prompt's commit button. Bug: 780881 Change-Id: I256d42fc8ba3fdd72d5af360585509b6573b7900 Reviewed-on: https://chromium-review.googlesource.com/777681 Reviewed-by: Scott Violet <sky@chromium.org> Commit-Queue: Eric Lawrence <elawrence@chromium.org> Cr-Commit-Position: refs/heads/master@{#523938} [modify] https://crrev.com/5e0baf43250c2b2189bf24b106628210aa85379b/ui/shell_dialogs/select_file_dialog_win.cc
,
Dec 14 2017
Fixed in 65.0.3294.0. Button text is now "Upload"
,
Dec 18 2017
Verified using folder upload tests at https://bayden.com/test/upload.asp |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by elawrence@chromium.org
, Nov 8 2017Status: Untriaged (was: Unconfirmed)
Summary: Security: Directory Picker UI makes file jacking attack more feasible (was: Security: No UPLOAD name of button makes file jacking attack more feasible)