New issue
Advanced search Search tips
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Security

Blocking:
issue 640466



Sign in to add a comment

Security: Chrome fullscreen without any warning and dialog no orgin for spoof

Reported by xis...@gmail.com, Jan 26 2018

Issue description

VULNERABILITY DETAILS
Chrome fullscreen without any warning ,dialog no orgin.The attacker may insert an image of a fake omnibox in its place, thus spoofing it.

VERSION
Chrome 64.0.3282.119 on macOS High Sierra 10.13.3

REPRODUCTION CASE
1.Access http://xisigr.com/test/spoof/chrome/fullscreen.html
2.Click on the "gmail.com" button.
3.Fullscreen without any warning ,dialog no orgin.
 
Cc: a...@chromium.org
Labels: OS-Mac
Status: Untriaged (was: Unconfirmed)
This attack doesn't seem to work in 64.0.3282.119 and later on Windows; the prompt dialog causes the full-screen mode to exit immediately.

In contrast, the spoof seems to work perfectly on Mac.


Comment 2 by a...@chromium.org, Jan 26 2018

What is the behavior that you see?

On my Mac, in 65.0.3315.3 I see:
1. The page goes fullscreen
2. The page loads a gmail spoof image
3. The page shows a dialog, kicking it out of fullscreen
4. The page is shown non-fullscreen but with a dialog attached.

On my Mac I cannot repro a failure to exit fullscreen.
Components: UI>Browser>FullScreen
Re #2: I'm not kicked out of full-screen by the prompt on Mac. I tried changing chrome://flags#secondary-ui-md but that didn't make a difference.

Comment 4 by a...@chromium.org, Jan 26 2018

What Mac OS are you using? I'm on 10.11 and things work.
10.13.2 (17C205) on a 2015 MacBook Pro.

Comment 6 by mea...@chromium.org, Jan 26 2018

Cc: -a...@chromium.org
Owner: a...@chromium.org
Status: Assigned (was: Untriaged)
I'm seeing the same behavior as elawrence on a 2012 Macbook Pro with 66.0.3331.0.

avi: I hope you don't mind me assigning this to you so that it has an owner.

Comment 7 by a...@chromium.org, Jan 26 2018

What is your OS version?

Comment 8 by mea...@chromium.org, Jan 26 2018

Same as Eric, High Sierra (10.13.2)

Comment 9 by raymes@chromium.org, Jan 30 2018

Labels: M-64 Security_Severity-Medium Security_Impact-Stable
I can also repro, albeit on High Sierra with M63. It's fairly nasty as the escape key doesn't seem to exit fullscreen. 
Project Member

Comment 10 by sheriffbot@chromium.org, Jan 31 2018

Labels: Pri-1

Comment 11 by a...@chromium.org, Feb 7 2018

Cc: spqc...@chromium.org
Sarah, has fullscreen changed in 10.13? Popups kick pages out of fullscreen in 10.11.
Yes, it looks like the fullscreen transition process has changed on 10.13. This broke some stuff recently. I can take over this issue and have a look

Comment 13 by a...@chromium.org, Feb 7 2018

Cc: -spqc...@chromium.org a...@chromium.org
Owner: spqc...@chromium.org
That would be awesome. I'll stick around; if there are any issues related to dialogs that you need a hand with, poke me.

Comment 14 by a...@chromium.org, Feb 7 2018

Attaching a file to easily go into fullscreen and trigger popups.
fullscreenpopuptest.html
933 bytes View Download
Thanks! I suspect this is an async issue. I was the one who fixed this on 10.12 and earlier, so I have a good idea on where to look.
Project Member

Comment 16 by bugdroid1@chromium.org, Feb 8 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a390da5e987c936ca7785d948c635ea67da02552

commit a390da5e987c936ca7785d948c635ea67da02552
Author: spqchan <spqchan@chromium.org>
Date: Thu Feb 08 20:55:42 2018

[Mac] Fix Fullscreen Spoofing Issue on 10.13

On 10.13, -didEnteredFullscreen: is called before the
fullscreen transition actually gets finished. As a result,
AppKit ignores -toggleFullscreen: inside that runloop and will
print "not in a fullscreen state". To fix this issue, call
-toggleFullscreen: asynchronously.

Bug:  806162 
Change-Id: If0d3559c68bfb38ba70da86894f1231f976ee403
Reviewed-on: https://chromium-review.googlesource.com/909080
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Sarah Chan <spqchan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#535506}
[modify] https://crrev.com/a390da5e987c936ca7785d948c635ea67da02552/chrome/browser/ui/cocoa/browser_window_controller.mm
[modify] https://crrev.com/a390da5e987c936ca7785d948c635ea67da02552/chrome/browser/ui/cocoa/browser_window_controller_private.h
[modify] https://crrev.com/a390da5e987c936ca7785d948c635ea67da02552/chrome/browser/ui/cocoa/browser_window_controller_private.mm

Project Member

Comment 17 by sheriffbot@chromium.org, Feb 22 2018

spqchan: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Fixed (was: Assigned)
Project Member

Comment 19 by sheriffbot@chromium.org, Feb 24 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -M-64 M-66
Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Congrats! the Chrome VRP panel decided to award $1,000 for this report. Cheers!
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 25 by sheriffbot@chromium.org, Mar 16

Labels: Merge-Request-66
Project Member

Comment 26 by sheriffbot@chromium.org, Mar 16

Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-66 Merge-Rejected-66
Since this landed before March 1st, no merge needed for 66. 
Labels: Release-0-M66
Labels: CVE-2018-6097
Labels: CVE_description-missing
Project Member

Comment 31 by sheriffbot@chromium.org, Jun 1

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Blocking: 640466

Sign in to add a comment