New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 781143 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Nov 2017
Cc:
creis@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: ----
Type: Bug-Security

Blocking:
issue 780715



Sign in to add a comment

Security: Multiple automated redirections without user gesture

Project Member Reported by awhalley@chromium.org, Nov 3 2017 
Ref: ZDI-CAN-5365

This bug was responsibly disclosed during pwn2own mobile 2017.

The text is provided by the reporter:

"At this point the web page is trying to perform 2 automated redirections. Firstly it tries to load the SamsungNotes app through the market place proxy ('market://details?url=content://media/external/file/350&id=com.samsung.android.app.no tes'). This causes the parsing of the memo file and writing of the configuration to the external storage. Secondly the reboot URL is visited. 

These two actions constitute two automated actions, which is not permitted by Chrome. Chrome permits one automated action (such as Javascript updating the ‘document.location’ value), but this must then be followed by an actual user action (such as the user tapping a link on the screen) before another automated action can take place. It was found that enforcement of this rule was not strict, and enabled two automated actions to take place in the initial moments after a page had loaded. Therefore the HTML’s body’s ‘onLoad’ function was set to click on an anchor element containing the reboot URL, and then immediately click on another anchor element linking to the memo. This had the effect of triggering both activities, even though only one should be triggered."

See the true branch of "if (sessionStorage.getItem("memo")) {" in downloadme.html
downloadme.html
4.0 KB View Download

Comment 1 by awhalley@chromium.org, Nov 3 2017 

I've not been able to reproduce, or otherwise work out if they are losing a security race or winning a functionality race :-p

Comment 2 by awhalley@chromium.org, Nov 3 2017

Labels: OS-Android

Comment 3 by awhalley@chromium.org, Nov 3 2017

Blocking: 780715

Comment 4 by elawrence@chromium.org, Nov 3 2017

Summary: Security: Multiple automated redirections without user gesture (was: Security: Multiple automated redirections without user intent)
>  Chrome permits one automated action (such as Javascript updating the
> ‘document.location’ value), but this must then be followed by an actual 
> user action (such as the user tapping a link on the screen) 

Really? I'm not aware of any such limitation (modulo opening new windows, where the popup blocker may intervene).

Navigation today does not consume a user-gesture, although there's a recent "[blink-dev] Re: Intent to Implement and Ship: Initiating main frame navigations consumes a user gesture"

Comment 5 by wfh@chromium.org, Nov 3 2017

Components: UI>Browser>Navigation

Comment 6 by vakh@chromium.org, Nov 3 2017

Cc: creis@chromium.org nasko@chromium.org
nasko, creis: do you know who can help triage this?

> I'm not aware of any such limitation
Me neither.

Comment 7 by awhalley@chromium.org, Nov 8 2017

Status: WontFix (was: Unconfirmed)
Sounds like not a security bug then - setting to wontfix.  Thanks!
Project Member

Comment 8 by sheriffbot@chromium.org, Feb 14 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment