Issue metadata
Sign in to add a comment
|
Chrome for Android - Window.open combined with the onbeforeunload dialog crashes Chrome's WebView render
Reported by
luan.her...@hotmail.com,
Jan 4 2018
|
||||||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Opening a new window while in Chrome's WebView and redirecting the opener's location to trigger an onbeforeunload dialog crashes the render while still allowing the user to interact with the page in the background. This allows the attacker to spoof the URL and also to perform "clickjacking" on any website. VERSION I tested on: Chrome 63.0.3239.111 / Android 6.0.1 REPRODUCTION CASE WARNING: By following through the PoC, you will end up giving permission to the app "OAuth.io" to read your private email on Github. 1. From Chrome's WebView, you should access https://lbherrera.github.io/lab/render/index.html 1. Click on the link. 2. A dialog will show up asking if you want to leave the page, click in "Leave". 3. Click in the button "Redeem prize". If no button shows up, try again from Step 1. * I made this PoC only having my phone's screen resolution in mind, so the the button's location may be off and you will need to click elsewhere to give permission to the "attacker" on GitHub, but a dedicated attacker could easily fix this, as he knows the users' screen resolution.
,
Jan 5 2018
As I expected, I was able to reproduce this using another app using WebView.
,
Jan 5 2018
I just tested and was able to reproduce it on Telegram and Facebook apps, so it doesn't seem to be something Twitter is doing specifically.
,
Jan 5 2018
timvolodine@ Could you please take a look at this? Thank you
,
Jan 5 2018
,
Jan 5 2018
,
Jan 18 2018
timvolodine: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 19 2018
currently no cycles to look at this.. unassigning to allow somebody else pick this up.
,
Jan 26 2018
eugenebut, wjmaclean: Would either of you be able to take a look at this medium severity bug? Thanks!
,
Jan 26 2018
I'm afraid I have *zero* experience with Android WebView (which is quite a separate thing from desktop WebView, which I do work on).
,
Jan 26 2018
I don't work on Chrome for Android or Android WebView. From By description it's unclear if the problem is specific to Chrome or WebView. CCing folks from WebView and Chrome for Android to help with triage.
,
Jan 26 2018
The twitter page looks like a chrome custom tab, so maybe not WebView related at all. Does this reproduce in the standalone Chrome app?
,
Jan 26 2018
#12: I believe you are right. I was not aware of Chrome Custom Tab's and mistakenly took it for the WebView. Sorry about that :/ And no, it doesn't reproduce on the standalone app.
,
Feb 1 2018
bauerb: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 1 2018
Thanks, nagbot! :-D A few initial notes: * I can reproduce this in Stable and Canary. In a local debug build I get a blank page instead of the "Redeem prize" page, but otherwise the same behavior. I'll try a Release build to see if that makes a difference. * I did not get any indication of an actual crash (either as a crash report or a stack trace on logcat). If there is a process going down, it's doing that very silently. * The page that is being loaded definitely is https://github.com (as seen in the origin indicator), and it can even be interacted with (I get a keyboard popping up when I tap on the page, presumably because I'm hitting a text input field), but what is _visible_ is the old page. * chrome://inspect/#devices actually shows two tabs (!) when that happens. By clicking "focus tab" I can switch the active tab. * If the github authorization tab is active (i.e. not the spoof page), what is visible in the custom tab is ever so slightly blurry, which is what happens if the compositor draws a saved snapshot of the webcontents (which is stored at slightly reduced quality) instead of the "live" webcontents.
,
Feb 6 2018
WIP CL is up at https://chromium-review.googlesource.com/c/chromium/src/+/904982.
,
Feb 7 2018
,
Feb 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/371ba40daa4b7c34912b02e0288e165ae2043a93 commit 371ba40daa4b7c34912b02e0288e165ae2043a93 Author: Bernhard Bauer <bauerb@chromium.org> Date: Thu Feb 08 11:06:02 2018 πΏπ¬ Move tab observation from LayoutManagerChrome to LayoutManager. This ensures that all activities using a LayoutManager observe the necessary tab events (not just ChromeTabbedActivity), and allows removing the CustomTabLayoutManager, which used to observe only a subset of events. Bug: 798933 Change-Id: I20242ba89fc058256adeddfdc42260c0220a9fe8 Reviewed-on: https://chromium-review.googlesource.com/904982 Commit-Queue: Bernhard Bauer <bauerb@chromium.org> Reviewed-by: Matthew Jones <mdjones@chromium.org> Reviewed-by: Yusuf Ozuysal <yusufo@chromium.org> Cr-Commit-Position: refs/heads/master@{#535351} [modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java/src/org/chromium/chrome/browser/compositor/layouts/LayoutManager.java [modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java/src/org/chromium/chrome/browser/compositor/layouts/LayoutManagerChrome.java [modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java/src/org/chromium/chrome/browser/compositor/layouts/LayoutManagerChromeTablet.java [modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java/src/org/chromium/chrome/browser/customtabs/CustomTabActivity.java [delete] https://crrev.com/21a534ef80dc7ab11a42747f2601bdc48a740ba8/chrome/android/java/src/org/chromium/chrome/browser/customtabs/CustomTabLayoutManager.java [modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappActivity.java [modify] https://crrev.com/371ba40daa4b7c34912b02e0288e165ae2043a93/chrome/android/java_sources.gni
,
Feb 8 2018
,
Feb 8 2018
+Emily because spoofing Do I need to do anything special to make the sheriffbot pick this up?
,
Feb 8 2018
No need to do anything special for sheriffbot, however, I think we may want to try to merge this to M65 per https://chromium.googlesource.com/chromium/src/+/master/docs/security/severity-guidelines.md#medium-severity. Thanks for the fix!
,
Feb 8 2018
Sure! I actually have cherry-pick CLs for 65 (https://chromium-review.googlesource.com/c/chromium/src/+/906777) and 64 (https://chromium-review.googlesource.com/c/chromium/src/+/906934).
,
Feb 8 2018
Ah, great, thank you!
,
Feb 8 2018
,
Feb 12 2018
,
Feb 14 2018
,
Feb 19 2018
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Feb 19 2018
Nice one luan.herrera@! The Chrome VRP panel decided to award $2,000 for this report. Thanks!
,
Feb 19 2018
,
Mar 6 2018
,
Mar 6 2018
,
Mar 16 2018
,
Mar 16 2018
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 19 2018
Please verify the fix in the latest canary
,
Mar 23 2018
Ping!
,
Mar 23 2018
,
Mar 26 2018
awhalley@ please can you make ensure this issue is merge into M66? Unless it can wait?
,
Mar 30 2018
I have requested this issue to be merged into M66 since March 19th. We are now only few days away from releasing M66. Can someone on this thread handle this since the owner does not respond? awhalley@ do we care about merging this security issue?
,
Mar 30 2018
No merge needed for 66
,
Apr 25 2018
,
May 17 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 14
|
|||||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||||
Comment 1 by metzman@chromium.org
, Jan 5 2018