New issue
Advanced search Search tips

Issue 783560 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Nov 2017
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Browsers are vulnerable to Picture-in-Picture attacks

Reported by david.we...@gmail.com, Nov 10 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. Go to http://usekp.com/c/dave1/PayPal
2. Click on the PayPal button
3. Get fooled

What is the expected behavior?
This may not be a security issue perse, but please see http://usekp.com/c/dave1/PayPal/.

It is a realistic duplication of PayPal functionality that could easily be used to get somebody's information. It is only as realistic as I got it in a hour or two - more work would make it even more realistic. And it's clearly not a Chrome issue all by itself. Any browser would show the same vulnerability.

This was created by me, is not a public URL and PayPal (who have not replied) and this email are the only place I have revealed it. This URL above does not attempt and does not grab anyone's name or password, it merely shows a way that it can be convincingly done.

While any site could be duplicated, the PayPal site seems to lend itself to this sort of vulnerability because it opens the PayPal window in a smaller popup window, and this make it very easy to fake. The address bar, which is totally fake, has the PayPal address, the padlock, and all buttons work. It even goes to standard Google help pages when links are clicked on. It loads realistically, and even to anyone who is following the standard safety guidelines - look for the padlock, etc, would be fooled.

It may be that Google just sees this as an example of a 'standard' phishing attack, I don't know. However, it is amazingly simple to put together and amazingly real.

What went wrong?
User gets fooled and enters their name and password.

Did this work before? No 

Chrome version: 61.0.3163.100  Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 27.0 r0

I have not included Chrome versions, etc, as this is an issue for all Chrome versions, all OSs, and all devices. The example above is a Windows type example, and it could be duplicated for any device.

Comment 1 by elawrence@chromium.org, Nov 10 2017

Status: Untriaged (was: Unconfirmed)
Summary: Browsers are vulnerable to Picture-in-Picture attacks (was: See http://usekp.com/c/dave1/PayPal)
Yup, this is a nicely executed instance of what's called a Picture-in-Picture attack: https://textslashplain.com/2017/01/14/the-line-of-death/

Do you have any novel ideas about how a browser might combat an attack of this nature?
PiP.png
113 KB View Download

Comment 2 by david.we...@gmail.com, Nov 10 2017 

Well yes actually. Challenge accepted! But first, I mentioned I thought this was a PayPal only issue - but it appears Google accounts are even easier to fake.

See http://usekp.com/c/dave1/google as another example. In this case, I even added some (crappy) sounds when the user clicks outside the dialog box, further cementing the idea that is a system, rather than a browser dialog box that is appearing. And you can't get rid of it, like a normal browser dialog. Can't go back, or forwards, and in fact, at the end, it loads the Google search page, and you can't go back to the page that phished you because I used a location.replace to get to the Google Search Page. Assuming the user was logged into Google Chrome at the beginning, they will really have no idea they were phished.

I would say that important pages - ones like PayPal or the Google pages that can collect account details should not be able to be launched in other than full screen windows. Or rather full window windows, so the URL bar is still visible. Otherwise it is too easy to fake. That is my initial thought. But I think, given a day or so, I could come up with several more. It was only a day or two ago I decided to sit down and see just how easy this whole thing was.

And in all of these simulations, I could have gone further than just picture in picture. I could allow the faked window to be moved around from the title bar. I already activated all the buttons in the simulated URL bar to make it seem alive and real. Adding the background sounds when they click outside the faked dialog box as I mentioned also makes it seems more realistic. It all happens on one web page so there and everything is preloaded so there is no delays or no new web pages being loaded (prevents back button being used). I considered using the Full Page API as mentioned in that link, but in both cases that is not even needed for the simulation to be accurate. On the Google example I could have used more animations to make it more realistic, but I think that would also have been overkill.
chrome.jpg
48.1 KB View Download

Comment 3 by elawrence@chromium.org, Nov 10 2017 

> should not be able to be launched in other than full screen windows.

Can you elaborate on why you believe that this would meaningfully address picture-in-picture attacks? Normal web users wouldn't know that such a special limitation exists, which means that they wouldn't know that a page that wasn't full-screened was not legitimate.

(That's setting aside, for now, the difficulty of the browser somehow detecting legitimate login pages and forcing them to run in full-screen).

Comment 4 by david.we...@gmail.com, Nov 10 2017 

Give me a few days - I'll have some great ideas. I know browsers inside out and the issues and limitations you face in this regard.

Comment 5 by est...@chromium.org, Nov 10 2017

Labels: -Restrict-View-SecurityTeam Security_Impact-None
Status: WontFix (was: Untriaged)
I'm going to close this bug to remove it from the security queue, since it's a well-known/public limitation of web browsers and computing systems in general. To the reporter: if you have other ideas that would improve user security in these situations, please file them as new feature requests. Thanks!

Sign in to add a comment