New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 2
Type: Bug-Security



Sign in to add a comment
link

Issue 805900: Security: URL spoofing via forward and backward navigation on iOS

Reported by chromium...@gmail.com, Jan 25 2018

Issue description

Chrome Version: 64.0.3282.97
Operating System: iOS


Steps to reproduce:
1.) Load outlook.com
2.) Load gmail.com
3.) Go Back
4.) Long press forward to invoke navigation history popup
5.) Quickly tap on gmail entry in history and back

Actual result:
Displayed URL is gmail.com

Expected result
Displayed URL is outlook.com
 
WhatsApp Image 2018-01-25 at 15.19.13.jpeg
50.2 KB View Download

Comment 1 by chromium...@gmail.com, Jan 25 2018

Please watch the video.

Also, in another example, in Screenshot_2 you can see the content of youtube.com is seen with outlook.live.com URL in the omnibox with green lock, and it's definitely bad behavior.
screenshot.jpeg
64.3 KB View Download

Comment 2 by mea...@chromium.org, Jan 29 2018

Components: UI>Browser>Navigation
Thanks for the report. Unfortunately I don't have an iOS device to test this right now, so preemptively adding navigation label.

chromium.khalil: Is the data URL required for this bug? Note that a webpage cannot navigate the top level frame to data URLs.

Comment 3 by chromium...@gmail.com, Jan 29 2018

No, There is no need to thet data URL.

Comment 4 by mea...@chromium.org, Jan 29 2018

Do you mean it could instead be served over http?

Comment 5 by chromium...@gmail.com, Jan 29 2018

Yes.

Comment 6 by chromium...@gmail.com, Jan 29 2018

I meant we can use a http URL instead of that URL data.

Comment 7 by mea...@chromium.org, Jan 30 2018

Cc: creis@chromium.org

Comment 8 by creis@chromium.org, Jan 30 2018

Owner: eugene...@chromium.org
iOS uses a different navigation stack.  Eugene, could you help triage this?

Comment 9 by creis@chromium.org, Jan 30 2018

Labels: OS-iOS

Comment 10 by eugene...@chromium.org, Jan 30 2018

Labels: ReleaseBlock-Stable M-65 Pri-1
Status: Assigned (was: Unconfirmed)

Comment 11 by eugene...@chromium.org, Jan 30 2018

I could not reproduce this bug with 64.0.3282.112 from AppStore. 64.0.3282.97 is not the latest version and I remember we recently fixed one URL spoofing bug for M64.  chromium.khalil, is this bug reproducible with 64.0.3282.112? Thanks.

Comment 12 by chromium...@gmail.com, Jan 30 2018

Yes, I am able to repro this bug on Beta and stable (64.0.3282.112). It sometimes takes several tries to repro.

Comment 13 by eugene...@chromium.org, Jan 30 2018

Cc: srikanthg@chromium.org
Labels: Needs-Feedback
Srikanth, can you try reproducing this bug?

Comment 14 by srikanthg@chromium.org, Jan 30 2018

I can't repro it so far on M64.0.3282.112 stable app.
Tested on iPhoneX, iPhone8 plus.

Comment 15 by chromium...@gmail.com, Jan 30 2018

Note: When I repro this bug, I can see there is something weird (inside the red square), it seems like the navigation (via backward or forward button) is incomplete or failed which resulted the spoofing URL
F4FD91E5-661A-4FB5-9022-615030338792.jpeg
179 KB View Download

Comment 16 by chromium...@gmail.com, Jan 31 2018

I found a more reduced test case:

1. Go to any website e.g outlook.com
2. Then go gmail.com (must be logged in)
3. Back to outlook.com 
4. Hold forward button and click on "https://mail.google..." and click quickly on forward button

Also, I was able to repro this with different URLs instead of gmail.com, but it does take several attempts to repro.

Comment 17 by chromium...@gmail.com, Jan 31 2018

Comment 18 by srikanthg@chromium.org, Jan 31 2018

I tried with a fresh installation of M64 stable version Chrome app but still no luck.
What version iOS are you using. Can you also copy/paste the contents of about://version page. I will try to repro on few other devices tomorrow.

Comment 19 by chromium...@gmail.com, Jan 31 2018

Google Chrome	64.0.3282.112 (Official Build) stable (64-bit)
Revision	7ceafc6ca46e...
OS	iOS
User Agent	Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_2 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/64.0.3282.112 Mobile/15C202 Safari/604.1
Command Line	--flag-switches-begin --flag-switches-end
Variations	3095aa95-3f4a17df
9e5c75f1-af31fbd4
f79cb77b-3d47f4f4
ef25c1eb-3f4a17df
2d871858-ca7d8d80
494d8760-6843eff2
3ac60855-486e2a9c
4442aae2-6e3b1976
ed1d377-e1cc0f14
75f0f0a0-6bdfffe7
e7e71889-4ad60575

Comment 20 by chromium...@gmail.com, Jan 31 2018

iOS 11.2.2 and I have also tried on 10.3.3.

Comment 21 by chromium...@gmail.com, Jan 31 2018

Weird, I repro-ed this very easily, did you try with gmail.com logged-in as I mentioned in C#16?

Comment 22 by elawrence@chromium.org, Jan 31 2018

RE #21: I wasn't able to reproduce this using a 2017 iPad. 

Reproduction is probably a race condition of some sort, so it may be helpful to know what hardware you were able to reproduce this on?

Comment 23 by chromium...@gmail.com, Jan 31 2018

I’m using iPhone 5 and 6. I’ll try to repro on iPad.

Comment 24 by srikanthg@chromium.org, Jan 31 2018

I tried on M64, iPhoneX iOS11.3, iPhone7 iOS11.1.2, iPhone7Plus 10.3.3
Not able to repro. Noticed in some cases tapping on back arrow redirecting to NTP instead of outlook.com but that seems tobe a different navigation bug.
As far as this bug, still trying to repro.
I am signed into gmail.com in content area and in Settings.
crbug url not updating repro case.mov
4.7 MB View Download

Comment 25 by chromium...@gmail.com, Jan 31 2018

You don't have to wait until you accessing the page content of gmail.com, you should click quickly on back arrow after holding (forward arrow) and clicking on "https://mail.google.com...".

Comment 26 by chromium...@gmail.com, Jan 31 2018

screen_2.mp4
2.1 MB View Download

Comment 27 by srikanthg@chromium.org, Jan 31 2018

Got it. Thanks for the tip.
Bisecting now.

Comment 28 by srikanthg@chromium.org, Jan 31 2018

Labels: -Needs-Feedback
Eugene: I went back upto M61 stable and its reproduced on all of the builds.
Also on M65 and 66 canary.
Let me know if you need any other information from me.
I followed repro steps from comment#26 video.

Comment 29 by palmer@chromium.org, Jan 31 2018

Labels: Security_Impact-Stable Security_Severity-Low

Comment 30 by sheriffbot@chromium.org, Feb 1 2018

Project Member
Labels: -Pri-1 Pri-2

Comment 31 by srikanthg@chromium.org, Feb 1 2018

Cc: linds...@chromium.org

Comment 32 by eugene...@chromium.org, Feb 1 2018

Description: Show this description

Comment 33 by eugene...@chromium.org, Feb 1 2018

Root cause:
When the user taps on "gmail entry in history" Chrome loads gmail
When the user taps on Back button Chrome starts loading outlook

After that gmail page creates renderer-initiated navigation. That renderer initiated navigation calls navigationManagerImpl->UpdatePendingItemUrl which overrides outlook.com to gmail.com.

Comment 34 by eugene...@chromium.org, Feb 2 2018

Cc: sdefresne@chromium.org

Comment 35 by bugdroid1@chromium.org, Feb 6 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fcdd81192c7bc9785b62a8f796ea953d681d1d1d

commit fcdd81192c7bc9785b62a8f796ea953d681d1d1d
Author: Eugene But <eugenebut@google.com>
Date: Tue Feb 06 02:28:04 2018

Do not create a pending entry for windows opened by DOM.

Creating a pending entry is cruft code from UIWebView world. This
pending invalid new entry is later updated by
NavigationManager::UpdatePendingItemUrl, which is also cruft code from
UIWebView world.

The problem is that NavigationManager::UpdatePendingItemUrl does not
always work correctly and causes ( crbug.com/805900 ). It is necessary to
stop creating an invalid pending entry before removing
NavigationManager::UpdatePendingItemUrl.

Bug:  805900 
Cq-Include-Trybots: master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: If478c574f11e5e586fac7407085f57ec05079814
Reviewed-on: https://chromium-review.googlesource.com/899700
Reviewed-by: Sylvain Defresne <sdefresne@chromium.org>
Commit-Queue: Eugene But <eugenebut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534594}
[modify] https://crrev.com/fcdd81192c7bc9785b62a8f796ea953d681d1d1d/ios/chrome/browser/tabs/tab_model.h
[modify] https://crrev.com/fcdd81192c7bc9785b62a8f796ea953d681d1d1d/ios/chrome/browser/tabs/tab_model.mm
[modify] https://crrev.com/fcdd81192c7bc9785b62a8f796ea953d681d1d1d/ios/chrome/browser/ui/browser_view_controller.mm

Comment 36 by chromium...@gmail.com, Feb 6 2018

Thanks for the fix!

Comment 37 by eugene...@chromium.org, Feb 7 2018

This is not the fix yet. But this landed CL should unblock the fix.

Comment 38 by bugdroid1@chromium.org, Feb 9 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/91fe94ba1ada82a4673f8329dbe243e44f3287f4

commit 91fe94ba1ada82a4673f8329dbe243e44f3287f4
Author: Eugene But <eugenebut@chromium.org>
Date: Fri Feb 09 15:04:53 2018

Cleaned up didReceiveServerRedirectForProvisionalNavigation:

Do not call registerLoadRequestForURL: just to update pending item URL.
Use NavigationContext as a source of truth for URL update instead.

Bug:  805900 
Cq-Include-Trybots: master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: Idb26cf953088a0dafcdb8c80396f2bca93d30c16
Reviewed-on: https://chromium-review.googlesource.com/909704
Reviewed-by: Danyao Wang <danyao@chromium.org>
Commit-Queue: Eugene But <eugenebut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#535711}
[modify] https://crrev.com/91fe94ba1ada82a4673f8329dbe243e44f3287f4/ios/web/web_state/ui/crw_web_controller.mm

Comment 39 by cmasso@google.com, Feb 12 2018

What's the update on this blocker. M65 release is nearing

Comment 40 by eugene...@chromium.org, Feb 12 2018

Labels: -M-65 M-66
Punting to M66. We need to land a few more CLs to fix the bug and CLs which were landed already are not very safe.

Comment 41 by bugdroid1@chromium.org, Feb 14 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/03a75113ce67157d31d9743ab7440939271d30cc

commit 03a75113ce67157d31d9743ab7440939271d30cc
Author: Eugene But <eugenebut@google.com>
Date: Wed Feb 14 23:13:57 2018

Change post request to get in didReceiveServerRedirectForProvisionalNavigation.

This was copied from UpdatePendingItemUrl method which will be removed
in a separate CL.

Also reset _lastTransferTimeInSeconds for server redirects.

Bug:  805900 
Cq-Include-Trybots: master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: I79f846c9d4777fc45abff220632a7afc80819d0a
Reviewed-on: https://chromium-review.googlesource.com/914129
Commit-Queue: Eugene But <eugenebut@chromium.org>
Reviewed-by: Danyao Wang <danyao@chromium.org>
Cr-Commit-Position: refs/heads/master@{#536869}
[modify] https://crrev.com/03a75113ce67157d31d9743ab7440939271d30cc/ios/web/navigation/navigation_manager_impl.h
[modify] https://crrev.com/03a75113ce67157d31d9743ab7440939271d30cc/ios/web/navigation/navigation_manager_util.h
[modify] https://crrev.com/03a75113ce67157d31d9743ab7440939271d30cc/ios/web/navigation/navigation_manager_util.mm
[modify] https://crrev.com/03a75113ce67157d31d9743ab7440939271d30cc/ios/web/net/crw_ssl_status_updater.h
[modify] https://crrev.com/03a75113ce67157d31d9743ab7440939271d30cc/ios/web/net/crw_ssl_status_updater.mm
[modify] https://crrev.com/03a75113ce67157d31d9743ab7440939271d30cc/ios/web/web_state/ui/crw_web_controller.mm

Comment 42 by eugene...@chromium.org, Feb 20 2018

Status: Started (was: Assigned)

Comment 43 by bugdroid1@chromium.org, Feb 21 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/74c0d72561c3bea1cb87ba9bfe9f7e7201a1e650

commit 74c0d72561c3bea1cb87ba9bfe9f7e7201a1e650
Author: Eugene But <eugenebut@google.com>
Date: Wed Feb 21 22:53:08 2018

Do not update Pending Item URL with URL that have a different origin.

NavigationManagerImpl::UpdatePendingItemUrl exists to update the URL
for redirects. UpdatePendingItemUrl is no longer used for server side
redirects, so this change makes sure that pending item origin is never
changed to prevent URL spoofing bugs.

Conceptually this is not the right fix, because NavigationManager
assumes that there can be only one pending navigation (which is not
true with WKWebView). The right fix would be to switch to WK-based
navigation manager, so this CL is just a workaround.

Bug:  805900 
Cq-Include-Trybots: master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: I20eed4a661244c0fec52a87b088c0620c5f57036
Reviewed-on: https://chromium-review.googlesource.com/923546
Reviewed-by: Danyao Wang <danyao@chromium.org>
Commit-Queue: Eugene But <eugenebut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#538237}
[modify] https://crrev.com/74c0d72561c3bea1cb87ba9bfe9f7e7201a1e650/ios/web/web_state/ui/crw_web_controller.mm

Comment 44 by eugene...@chromium.org, Feb 22 2018

Status: Fixed (was: Started)

Comment 45 by sheriffbot@chromium.org, Feb 22 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 46 by chromium...@gmail.com, Feb 26 2018

Any bounty for this report? Thanks!

Comment 47 by awhalley@google.com, Feb 26 2018

Labels: reward-topanel
Let's see what the panel says :-)

Comment 48 by awhalley@google.com, Mar 6 2018

Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to reward for this bug, citing how much user interaction was required and how it's mitigated. If you have a PoC that requires less user interaction, we could reconsider it.

Comment 49 by awhalley@chromium.org, Mar 28 2018

Labels: -ReleaseBlock-Stable

Comment 50 by awhalley@google.com, Apr 17 2018

Labels: Release-0-M66

Comment 51 by awhalley@chromium.org, Apr 25 2018

Labels: CVE-2018-6113

Comment 52 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-missing

Comment 53 by sheriffbot@chromium.org, May 31 2018

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 54 by awhalley@chromium.org, Jan 4

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment