New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 821661 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 822957
Owner: ----
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug
Team-Security-UX



Sign in to add a comment

Security: Camera request permission UI spoof

Reported by chromium...@gmail.com, Mar 14 2018

Issue description

Chrome Version: 67.0.3369.0 (Official Build) canary (64-bit)
Operating System: All

This is similar to  bug 816033 , but in this issue the camera icon can appears after navigation to another origin.

1. Set up a local webserver to host poc.html
2. Click on "Click here" button and allow the request and wait.

Actual:
On the right of the omnibox, the camera icon is stays open, and when you click on it you can see the request is asking to "continue allowing http://localhost..." 
 
Screen Shot 2018-03-14 at 03.09.16.png
243 KB View Download
test.html
267 bytes View Download
Components: UI>Browser>Permissions>Indicators
I can't reproduce this on Canary (Mac) or a tip of tree build on Linux.

In neither case do we automatically open this particular menu; you have to explicitly click on the icon in the omnibox to show it. And in both cases, the menu closes automatically on navigation as its supposed to.

Can you please record a video of what you're seeing?

Comment 2 by est...@chromium.org, Mar 14 2018

Labels: Needs-Feedback
screen.mp4
342 KB View Download
Project Member

Comment 4 by sheriffbot@chromium.org, Mar 14 2018

Cc: est...@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by est...@chromium.org, Mar 14 2018

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Bisect M-67 OS-Mac Pri-2 Type-Bug
Status: Available (was: Unconfirmed)
Thanks for the video! I can reproduce this on Mac Canary. It doesn't reproduce on stable so it looks like a recent regression.

I don't think this has security consequences because the user would have to already approve the permission prompt. At worst the user might get confused about which origin the menu represents, but I don't think there's a convincing attack scenario.
Thanks for the video. I'm still having issues reproducing in Canary 67.0.3370.0 - estark, which Canary were you looking at?

Comment 7 by est...@chromium.org, Mar 15 2018

I'm reproducing on 67.0.3370.0. Maybe a race...? In which case, it might not be a recent regression as I hypothesized in #5.
Labels: -Needs-Bisect Triaged-ET Target-67 FoundIn-67 Needs-Triage-M67 OS-Linux OS-Windows
Status: Untriaged (was: Available)
Able to reproduce the issue on Mac 10.13.3, Win-10 and Ubuntu 14.04 using chrome stable version #65.0.3325.162 and latest canary #67.0.3370.0.
This is a non-regression issue as it is observed from M60 old builds. 

Hence, marking it as untriaged to get more inputs from dev team.

Thanks...!!
Cc: timloh@chromium.org
+timloh, do you have some time to investigate this?
Cc: -timloh@chromium.org mkwst@chromium.org
+cc mkwst, SYD isn't able to look at new permissions bugs right now unfortunately.
Owner: guidou@chromium.org
Status: Assigned (was: Untriaged)
I think this is a dupe of  issue 822957 

Comment 12 Deleted

Labels: Restrict-View-SecurityTeam
krajshree@: Can you reproduce reliably? If so, can you provide some extra details?
I have been unable to repro on any platform following the instructions on the original post.
Labels: -Restrict-View-SecurityTeam
Cc: guidou@chromium.org
Owner: ----
Status: Untriaged (was: Assigned)
Making this bug available since I cannot reproduce and cannot act on it.
I will gladly assist anyone who can provide actionable info.
Mergedinto: 822957
Status: Duplicate (was: Untriaged)
Merge with  issue 822957 .

Sign in to add a comment