Issue metadata
Sign in to add a comment
|
Security: Redirected URL leak on iOS
Reported by
chromium...@gmail.com,
Mar 21 2018
|
||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 66.0.3359.30 Operating System: iOS REPRODUCTION CASE 1. Load https://attack.shhnjk.com/get_resource.html 2. Observer The alert is shown with "shhnjk.com/?secrect".
,
Mar 21 2018
Is the POC supposed to be looking at element 0 instead of element 1?
performance.getEntriesByType("resource")[0].name
,
Mar 21 2018
Marking this as Medium severity as it is leaking cross-origin history, although in a particularly limited capacity (which might make an argument for Low severity). Adding component Blink>PerformanceAPIs>ResourceTiming per #2. I was unable to reproduce this on Chrome Dev M67 on iOS. ricea@: Could you take a look or help find an owner? Thanks.
,
Mar 21 2018
cthomp@ Are you able to repro this on Canary?
,
Mar 22 2018
The Blink component isn't right because iOS doesn't use Blink. I don't know what component to use for iOS, so I have CC:d ios-bugs@chromium.org.
,
Mar 22 2018
,
Mar 22 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 22 2018
,
Mar 22 2018
Reporter: What version of iOS were you able to reproduce this on? I couldn't reproduce this issue in Desktop Safari or Safari TechPreview, which may mean that this is limited to outdated versions of WebKit on outdated iOS. In terms of Severity, this should indeed be Medium; see Issue 799847 for an equivalent case. I'm not sure if assigning a security bug to an alias works correctly. If we can reproduce this, we need to add our Apple friends and set status to ExternalDependency.
,
Mar 22 2018
re c#9, 11.2.2 iOS Note: Firefox also has this bug.
,
Mar 22 2018
I tested Chrome 67.0.3368.0 on iOS 11.2.6. This might mean that a point release along the way included a WebKit fix that stops this.
,
Mar 22 2018
I was able to reproduce the bug in iOS simulator with iOS 11.2, but not iOS 11.3. The results is same between Safari and Chrome. So I think WebKit must have shipped a fix.
,
Mar 22 2018
Thanks for helping check that. I'll mark this as Fixed then.
,
Mar 24 2018
,
Mar 26 2018
,
Mar 28 2018
,
Mar 28 2018
Thanks for the report! I'm afraid I'm marking as reward-na since no fix was made in response.
,
Apr 27 2018
,
Apr 27 2018
This bug requires manual review: Less than 28 days to go before AppStore submit on M67 Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 1 2018
Per comment #12 and the fact that there's no cl attached to this bug, I'm removing merge-request.
,
May 1 2018
,
Jun 29 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Mar 21 2018The problem here is that PerformanceAPI's ResourceTiming exposes the post-redirection URL of a cross-origin resource. The POC does not seem to reproduce in Safari 11.0.3 or Safari Tech Preview 11.2, yielding the script error TypeError: undefined is not an object (evaluating 'performance.getEntriesByType("resource")[1].name') (anonymous function) — get_resource.html:3 Selected Element <body>…</body>