Issue 817809 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 812769
Owner:	a...@chromium.org
Closed:	Mar 2018
Cc:	tapted@chromium.org asanka@chromium.org
Components:	Internals>Network>Auth UI>Browser>FullScreen
EstimatedDays:	----
NextAction:	----
OS:	Linux , Windows , Mac
Pri:	2
Type:	Bug-Security
Security_Severity-Low Security_Impact-Stable allpublic

Security: Basic Authentication prompt can hide the Fullscreen Warning

Reported by chromium...@gmail.com, Mar 1 2018

Issue description

VERSION
Chrome Version: 66.0.3357.0 (Official Build) canary (64-bit)
Operating System: Mac

This is similar to issue 812060.

I have another test case with more convincing with using HTTP Basic Auth – e.g. It could trick users into thinking they're on https://api.stripe.com when they're actually on the testcase page (I think most users probably look at the omnibox, also, the HTTP Basic Auth hides fullscreen notification with "sign in https://api.stripe.com"). Since users could enter private info to https://api.stripe.com properties (e.g. login credentials) which could get stolen by this faker domain, this seems like a Medium security issue.

test case.html
62.0 KB View Download

	Screen Shot 2018-02-26 at 17.13.09.png 200 KB View Download

Comment 1 by elawrence@chromium.org, Mar 1 2018

Cc: tapted@chromium.org a...@chromium.org
Components: Internals>Network>Auth UI>Browser>FullScreen

The POC causes a script error; it needs .webkitRequestFullscreen I believe.
https://bayden.com/test/fullscreenandauth.html

I'm not exactly clear on your attack scenario; if a user types their credentials into the HTTP auth dialog, those are conveyed to the legitimate (api.stripe.com) domain.

So I think this boils down to the same "dialogs should cause exit of full-screen, otherwise the YouHaveGoneFullScreen notice can get overlapped" bug of which there are four or five copies now.

Comment 2 by elawrence@chromium.org, Mar 1 2018

Summary: Security: Basic Authentication prompt can hide the Fullscreen Warning (was: Security: Addressbar spoofing)

Comment 3 by kenrb@chromium.org, Mar 1 2018

Cc: -a...@chromium.org
Labels: Security_Severity-Low Security_Impact-Stable OS-Linux OS-Mac OS-Windows Pri-2
Owner: a...@chromium.org
Status: Assigned (was: Unconfirmed)

Assigning to Avi who is already investigating what to do with all bugs of this ilk.

Comment 4 by tapted@chromium.org, Mar 6 2018

Mergedinto: 812769
Status: Duplicate (was: Assigned)

Merging into  Issue 812769  - same cause.

Project Member

Comment 5 by bugdroid1@chromium.org, Aug 27

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3d41e77125f3de8d722b6d8303599abaf2a91667

commit 3d41e77125f3de8d722b6d8303599abaf2a91667
Author: Avi Drissman <avi@chromium.org>
Date: Mon Aug 27 21:18:08 2018

If a dialog is shown, drop fullscreen.

BUG= 875066 ,  817809 , 792876,  812769 ,  813815 
TEST=included

Change-Id: Ic3d697fa3c4b01f5d7fea77391857177ada660db
Reviewed-on: https://chromium-review.googlesource.com/1185208
Reviewed-by: Sidney San Martín <sdy@chromium.org>
Commit-Queue: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#586418}
[modify] https://crrev.com/3d41e77125f3de8d722b6d8303599abaf2a91667/chrome/browser/ui/browser.cc
[modify] https://crrev.com/3d41e77125f3de8d722b6d8303599abaf2a91667/chrome/browser/ui/browser_browsertest.cc
[modify] https://crrev.com/3d41e77125f3de8d722b6d8303599abaf2a91667/content/browser/web_contents/web_contents_impl.cc
[modify] https://crrev.com/3d41e77125f3de8d722b6d8303599abaf2a91667/content/browser/web_contents/web_contents_impl.h
[modify] https://crrev.com/3d41e77125f3de8d722b6d8303599abaf2a91667/content/browser/web_contents/web_contents_impl_browsertest.cc

Project Member

Comment 6 by sheriffbot@chromium.org, Dec 5

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 817809 link

Issue metadata

Security: Basic Authentication prompt can hide the Fullscreen Warning

Issue description

Comment 1 by elawrence@chromium.org, Mar 1 2018

Comment 1 Deleted

Comment 2 by elawrence@chromium.org, Mar 1 2018

Comment 2 Deleted

Comment 3 by kenrb@chromium.org, Mar 1 2018

Comment 3 Deleted

Comment 4 by tapted@chromium.org, Mar 6 2018

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Aug 27

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Dec 5

Comment 6 Deleted

Sign in to add a comment