New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 823194 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Long extension name allows spoofing of Debugging InfoBar

Reported by chromium...@gmail.com, Mar 19 2018

Issue description

Chrome Version: 67.0.3374.0 (Official Build) canary (64-bit)
Operating System: MacOS 

This is a hyphothetical attack like in  issue 673163 .

1. Install the extension.
2. Observe the bubble is over the wrong origin
 
Note: I couldn't repro this on M65.
 
test case.zip
3.2 KB Download
Screen Shot 2018-03-19 at 05.51.43.png
198 KB View Download

Comment 1 by est...@chromium.org, Mar 19 2018

Cc: rdevlin....@chromium.org dgozman@chromium.org
Components: Platform>Extensions Platform>Apps>DevTools
Labels: Needs-Feedback OS-Linux OS-Mac
I'm a little confused what's going on here. It definitely seems non-ideal that we don't truncate the extension name so that the extension gets to control the whole contents of the infobar. However, I'm not sure if there's something weird about the infobar showing up on www.google.com; if the extension is debugging that tab, why do you say that the infobar is over the wrong origin?
Note that extension is effectively debugging the browser, so we show infobar on every tab.

Truncating is a good call though.

Labels: Security_Impact-Stable OS-Chrome OS-Windows
Status: Untriaged (was: Unconfirmed)
Summary: Security: Long extension name allows spoofing of Debugging InfoBar (was: Security: debugger permission can appears over the wrong origin and allows spoofing)
The Infobar isn't shown in Chrome 65 likely because the call to debugger.attach() in the extension fails with the error "Cannot access contents of the page. Extension manifest must request permission to access the respective host." It's not clear to me whether that call should also be failing in Chrome 67, or whether the failure was a bug in 65.

https://cs.chromium.org/chromium/src/chrome/browser/extensions/api/debugger/extension_dev_tools_infobar.cc?l=69&rcl=343599182ba14cb3d98c869c1afb01edc738e296

<message name="IDS_DEV_TOOLS_INFOBAR_LABEL" desc="Label displayed in an infobar when external debugger is attached to the browser">
  "<ph name="CLIENT_NAME">$1<ex>Extension Foo</ex></ph>" is debugging this browser
</message>
Weaknesses in the restrictions on debugger.attach look like a longstanding issue, see e.g. Issue  456994,  Issue 805224 

Comment 5 by est...@chromium.org, Mar 20 2018

Labels: M-67 Security_Severity-Low Pri-3
Status: Available (was: Untriaged)

Comment 6 by est...@chromium.org, Mar 20 2018

Labels: -Needs-Feedback
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 20 2018

Labels: -Pri-3 Pri-2
Owner: dgozman@chromium.org
Status: Assigned (was: Available)
dgozman@ - are you the right person to drive this to completion? Otherwise, please re-assign as appropriate.
Cc: pkasting@chromium.org
Status: Fixed (was: Assigned)
This should be fixed for all platforms which use views (linux and windows atm).
Project Member

Comment 12 by sheriffbot@chromium.org, May 10 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
$500 for this one :-)
Labels: -reward-unpaid reward-inprocess
 Issue 845270  has been merged into this issue.
Labels: -M-67 M-68
Labels: Release-0-M68
Project Member

Comment 20 by sheriffbot@chromium.org, Aug 16

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE-2018-6178 CVE_description-missing

Sign in to add a comment