Issue metadata
Sign in to add a comment
|
Security: obtained access to iframe from another origin
Reported by
clau...@newtechnologysas.it,
Feb 23 2018
|
||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
I was placing an iframe in the web app i'm working on.
The iframe pointed at another domain but i wanted to manipulate some element inside it, so i wasted some time trying to break it via developer tools.
after giving the frame some css properties via the console it started glitching and flickering. I got to the elements tab and noticed that the whole inner document structure was now fully accessible.
VERSION
Chrome Version: 65.0.3325.88 (official build) beta (64bit)
Operating System: win10 64bit
REPRODUCTION CASE
<div id="frameArea" style="width:1199px;height:500px;overflow:hidden">
<iframe src="https://www.trovausati.it/rivenditori" width="1229" height="600"></iframe>
</div>
1- gave transform: scale(1.1); to the div
2- removed it
3- gave transform: scale(1,1.15); to the iframe
4- started seeing glitches after playing a bit more with the last one
,
Feb 23 2018
Can you explain what you mean when you say "document structure was now fully accessible"? It's absolutely by-design that Chrome's developer tools allow you to inspect and interact with any frame on the page, regardless of its origin. The red box with "rivenditori" in the Console tab is a dropdown list that allows you to pick which context the Console executes in. If you could access the contents of the cross-origin frame *from JavaScript in the outer page*, that would represent a vulnerability, but accessing the contents from the developer tools is not.
,
Feb 23 2018
,
Feb 26 2018
I mean that i could not only see the structure, but i could use jquery to manipulate the DOM
I tried doing $("#aniframeinnerdiv").css('background','red') and i succeded
today i'll try replicting it if i have a bit more time
,
Feb 26 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 26 2018
I've tried to replicate the issue but I seem to able to provoke a DOM change inside the iframe only after I use at least once ctrl+shift+C on one of its elements I can't find a simple way to reproduce the issue via pure code so i suppose it's a non-issue
,
Feb 26 2018
The NextAction date has arrived: 2018-02-26
,
Feb 26 2018
Right, it's expected that you can enter code in the Developer Tools console to manipulate the contents of any frame on the page. If you could do this to a cross-origin frame from your web markup itself, that would be a vulnerability.
,
Jun 5 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by clau...@newtechnologysas.it
, Feb 23 2018113 KB
113 KB View Download