New issue
Advanced search Search tips

Issue 817208 link

Starred by 2 users
Status: Available
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug

Blocked on:
issue 624495


Sign in to add a comment

Chrome for Android can be blocked with endless Client Certificate request dialogs

Reported by zhuoweiz...@yahoo.com, Feb 28 2018 
Steps to reproduce the problem:
1. Navigate to a site that contains an iframe that repeatedly navigate to new domains, which all request client certificates
2. For each of these domains from the iframe, Chrome pops up a "No certificate found" dialog.

What is the expected behavior?
This dialog should have an option to prevent the page to pop up any more dialogs, like all the other modals

What went wrong?
The page can pop up as many modal "No Certificate found" dialogs as it wants, simply by navigating to new domains in an iframe.

This can be used to hold the user's browser hostage with endless dialogs.

Since each of these dialogs is a new Android Activity, it can also be used to hang devices by launching, say, a new dialog every second.

Also, Chrome sometimes crashes with a segfault when I dismiss dialogs too fast.

Attached is a proof of concept that can be run locally with Node.js and ADB. See the README.txt in the .zip for usage instructions.

Did this work before? No 

Chrome version: 64.0.3282.137  Channel: stable
OS Version: 8.1.0
Flash Version: 

I'm reporting this as a security bug since similar bugs like 263326 are Team-Security-UX.
clientcertannoy.zip
6.8 KB Download

Comment 1 by elawrence@chromium.org, Feb 28 2018

Components: Internals>Network>SSL
> Also, Chrome sometimes crashes with a segfault when I dismiss dialogs too fast.

Does this create an entry in chrome://crashes? If so, please share the "Uploaded Crash Report ID".

I suspect the dialog in question is from Android itself (https://textslashplain.com/2017/01/13/client-certificates-on-android/) which might make this challenging to fix.

Comment 2 by zhuoweiz...@yahoo.com, Feb 28 2018 

The crash ids are 67dc9aa935304fd3, 3611e69a3591340d, and ad50b5e28a096914.

Comment 3 by kenrb@chromium.org, Feb 28 2018

Labels: Security_Impact-Stable Security_Severity-Low
Status: Available (was: Unconfirmed)
This amounts to a denial of service on the browser, since the attacker can't control the content of the dialog. Flagging appropriately.

I believe the code that intermediates this is in chrome/browser/ui/android, so there is probably something we can do to mitigate.

I'm not sure what to make of the crash stacks on the reports on comment 2. They are unsurprisingly in the JNI that manages the dialog.

Comment 4 by tsepez@chromium.org, May 3 2018

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
We treat browser DoS as a functional issue, rather than a security issue (although the result is annoying it doesn't leak information).

Comment 5 by davidben@chromium.org, May 3 2018

Blockedon: 624495
It should be largely resolved by deduplicating the prompts by host (issue #624495), which is needed also in the non-malicious case.

But someone intent on making a nuisance could still get around it via other means. I think the next change we want is to cancel client cert requests when their corresponding URLRequest has cancelled, presuming the prompt hasn't shown yet. (Currently we show prompts all at once and let Android deal with it, but deduplicating will require we queue them up.)

After that, being a nuisance is probably still possible, though renderer and socket limits would complicate it. If needed, we can then look at more dedicated rate limits around that prompt. But ultimately we have some difficulty because once the prompt itself is shown, we have no control over it.

The crash itself I would expect is memory exhaustion, but the stack trace is odd, so maybe there's something else wrong there. But ultimately we will just crash from memory exhaustion.

Sign in to add a comment