application/x-chrome-tab should not be readable
Reported by
0x0a1...@gmail.com,
Nov 8 2017
|
||||||
Issue descriptionSummary: It is possible to read a dragged tab object if user is coerced into drag and dropping it into attacker controlled page. This is bad because tab history is mentioned within the object, thus information leaks are possible through a trick. Steps To Reproduce: Open PoC and click on button. Popup should appear loading facebook and then should direct to a dummy page Attempt to drag and drop the newly opened windows tab into the big 'O' under the button. (as if you are trying to move the tab but instead you drop it into the O) We can successfully read 'x-chrome-tab' object including history. As I mentioned before, so much information is available in the output, specifically, I want to point to the history section, where we can extract victims facebook name by reading URL after redirect. This is done by opening a popup pointing to 'https://www.facebook.com/me' which will instantly redirect to 'https://www.facebook.com/{your name}' and then we redirect into a dummy page in order to create a history object. Given that the user is not dragging directly from facebook.com then it is not the same as having a user copy-paste or drag n drop their facebook URL. This is pretty much completely done within attacker-controlled website. Supporting Material/References: PoC attached. Also, I wonder if something worse could happen messing with this object. I haven't been able to produce my own custom tabs yet, but if that is even theoretically possible then we 'theoretically' also have control of all the variables mentioned in the tab object. Here is a sample of the output: {"showOnRight":false,"security":{"isSecure":false,"runInsecureContent":false},"src":"about:blank","lastAccessedTime":1502356944847,"computedThemeColor":null,"guestInstanceId":44,"adblock":{},"partition":"persist:default","findDetail":{"searchString":"","caseSensitivity":false},"noScript":{},"endLoadTime":1502356942486,"navbar":{"urlbar":{"location":"http://localhost/wut.html","suggestions":{"selectedIndex":null,"searchResults":[],"suggestionList":null,"shouldRender":false},"selected":false,"focused":false,"active":false}},"trackingProtection":{},"tabId":322,"zoomLevel":0,"breakpoint":"default","partitionNumber":0,"history":["https://www.facebook.com/abdulrahman.alqabandi.3","https://www.facebook.com/abdulrahman.alqabandi.3","http://localhost/wut.html"],"audioMuted":false,"startLoadTime":1502356941347,"provisionalLocation":"https://www.facebook.com/abdulrahman.alqabandi.3","location":"http://localhost/wut.html","fingerprintingProtection":{},"httpsEverywhere":{},"audioPlaybackActive":false,"disposition":"new-popup","title":"localhost/wut.html","searchDetail":null,"icon":null,"isPrivate":false,"openerTabId":5,"parentFrameKey":null,"loading":false,"hrefPreview":"","unloaded":false,"key":1}
,
Nov 8 2017
The file mentioned in #1 was deleted in 2014 in "Delete GTK+ port of Chrome" (http://crrev.com/dcc2977772bdd296d8bfbcaedafd4441def78e3d)
,
Nov 8 2017
,
Nov 9 2017
I reproduced this bug. What you have to drag is not the *tab*, but the security indicator (Secure or Not Secure chip, or the (i), or the like). Then it definitely works. :) pwnall: Can you take a look at this, or if you are not the right person, bounce it to a better owner? Thanks! adamk or tanvir.rizvi, if you have ideas for good people to look at this, that'd help too. I think this would be Medium severity, but I think the user interaction requirement is a significant mitigation. Hence Low.
,
Nov 9 2017
On Windows, Mac, and ChromeOS at least, drag/dropping the SecurityIcon seems to only transfer the URL of the current page. That behavior is expected (it's how you create a desktop shortcut to a given webpage, among other user scenarios). I'm not able to reproduce anything that copies an object that contains richer information.
,
Nov 29 2017
Original bug reporter: Can you please let me know what platform you encountered this bug on?
,
Dec 1 2017
Windows 8 Version 62.0.3202.94 (Official Build) (64-bit)
,
Dec 1 2017
Re #6: Would you mind attaching a screenshot? Thanks!
,
Dec 1 2017
,
Dec 1 2017
,
Dec 1 2017
Thanks, sorry, I should have been more precise. Can you show a screenshot of the "application/x-chrome-tab" that has been output in a webpage?
,
Feb 14 2018
Closing due to lack of repro. If you can provide the information requested, please do so.
,
May 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by elawrence@chromium.org
, Nov 8 2017Summary: application/x-chrome-tab should not be readable (was: application/x-chrome-tab should not be readable. )