New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 826552 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
OOO
Closed: Jun 5
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Redirect circumvents same-origin restrictions for AudioWorklet

Reported by s.h.h.n....@gmail.com, Mar 27 2018

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce the problem:
1. Go to https://vuln.shhnjk.com/oudi-work.html
2. Play audio

What is the expected behavior?
MediaElementAudioSource outputs zeroes due to CORS access restrictions.

What went wrong?
Spec (https://webaudio.github.io/web-audio-api/#MediaElementAudioSourceOptions-security) says:
To prevent this, a MediaElementAudioSourceNode MUST output silence instead of the normal output of the HTMLMediaElement if it has been created using an HTMLMediaElement for which the execution of the fetch algorithm labeled the resource as CORS-cross-origin.

If you play around with 2 buttons, whenever audio is set directly to "https://www.w3schools.com/tags/horse.mp3", output is zeroed correctly. But when you set audio through redirect, it'll happily output real audio.

Per spec, Web Audio allows inspection of the content of the resource. So this bug should leak cross-origin audio, but I haven't figured out how yet :(

Did this work before? N/A 

Chrome version: 67.0.3377.1  Channel: dev
OS Version: Windows 10
Flash Version:
 
Components: Blink>WebAudio Blink>SecurityFeature>SameOriginPolicy
Labels: FoundIn-67
Status: Untriaged (was: Unconfirmed)
Summary: Redirect circumvents same-origin restrictions for AudioWorklet (was: AudioWorklet outputs CORS-cross-origin audio)
Nice find, thanks!

Comment 2 by mmoroz@chromium.org, Mar 28 2018

Cc: tkent@chromium.org thakis@chromium.org
Labels: -OS-Windows Security_Impact-Head M-67 Security_Severity-Medium OS-All
Owner: rtoy@chromium.org
Status: Assigned (was: Untriaged)
It seems like ScriptProcessorNode has the same issue.

PoC
https://vuln.shhnjk.com/uudi-work.html

Play audio in above page and check the devtools console. You will see non-0 outputs logged by AudioWorkletProcessor as well as ScriptProcessor. Those might have different root cause because captureStream doesn't work on that audio (which suggests that audio is tainted at least for Media Capture APIs).
But ScriptProcessor is already released so above PoC works with Chrome 65.

PS
I'm stuck on converting Typed array data to audio data :(  What a shame...

Project Member

Comment 4 by sheriffbot@chromium.org, Mar 29 2018

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Mar 29 2018

Labels: -Pri-2 Pri-1

Comment 6 by rtoy@chromium.org, Mar 30 2018

This is very likely not a security regression since it also appears in ScriptProcessorNode. This has probably existed since CORS support was added to MediaElementAudioSourceNode several years ago. It only showed up now because someone was testing it with the newly released AudioWorklet.
Just FYI, I would like to publish this bug on November if fixed. It’d be great if this bug could be fixed before that. Thanks!
Here is a proper PoC of stealing cross-origin audio.
https://vuln.shhnjk.com/eudi-work.html
Project Member

Comment 9 by sheriffbot@chromium.org, Apr 14 2018

rtoy: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by sheriffbot@chromium.org, Apr 18 2018

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 11 by mkwst@chromium.org, Apr 20 2018

Cc: jakearchibald@chromium.org
M67 Stable promotion is coming soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.


Project Member

Comment 13 by sheriffbot@chromium.org, Apr 29 2018

rtoy: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Security_Impact-Beta -ReleaseBlock-Stable Security_Impact-Stable

Comment 15 by rtoy@chromium.org, May 1 2018

Cc: yhirano@chromium.org
Cc: toyoshim@chromium.org mkwst@chromium.org

Comment 17 by rtoy@chromium.org, May 7 2018

Cc: kbr@chromium.org
 Issue 839983  has been merged into this issue.

Comment 18 by rtoy@chromium.org, May 9 2018

Somewhat related issue:   619114 
rtoy, can you please give an update on this bug? Thanks!

Comment 20 by rtoy@chromium.org, May 21 2018

Still in progress.
Project Member

Comment 21 by bugdroid1@chromium.org, Jun 5

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/761c75d2d607638ff53c764b4925bcca9be601d8

commit 761c75d2d607638ff53c764b4925bcca9be601d8
Author: Raymond Toy <rtoy@chromium.org>
Date: Tue Jun 05 00:28:50 2018

Redirect should not circumvent same-origin restrictions

Check whether we have access to the audio data when the format is set.
At this point we have enough information to determine this. The old approach
based on when the src was changed was incorrect because at the point, we
only know the new src; none of the response headers have been read yet.

This new approach also removes the incorrect message reported in 619114.

Bug:  826552 ,  619114 
Change-Id: I95119b3a1e399c05d0fbd2da71f87967978efff6
Reviewed-on: https://chromium-review.googlesource.com/1069540
Commit-Queue: Raymond Toy <rtoy@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Hongchan Choi <hongchan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#564313}
[add] https://crrev.com/761c75d2d607638ff53c764b4925bcca9be601d8/third_party/WebKit/LayoutTests/http/tests/security/media-element-audio-source-node-redirect-expected.txt
[add] https://crrev.com/761c75d2d607638ff53c764b4925bcca9be601d8/third_party/WebKit/LayoutTests/http/tests/security/media-element-audio-source-node-redirect.html
[modify] https://crrev.com/761c75d2d607638ff53c764b4925bcca9be601d8/third_party/WebKit/LayoutTests/http/tests/security/resources/webaudio/media-element-audio-source-node-test.js
[modify] https://crrev.com/761c75d2d607638ff53c764b4925bcca9be601d8/third_party/blink/renderer/modules/webaudio/base_audio_context.cc
[modify] https://crrev.com/761c75d2d607638ff53c764b4925bcca9be601d8/third_party/blink/renderer/modules/webaudio/base_audio_context.h
[modify] https://crrev.com/761c75d2d607638ff53c764b4925bcca9be601d8/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc
[modify] https://crrev.com/761c75d2d607638ff53c764b4925bcca9be601d8/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.h

Labels: Merge-Request-68
Probably too late for M67, but this might be good to have for M68.

Therefore requesting merge to 68.
Project Member

Comment 23 by sheriffbot@chromium.org, Jun 5

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: falken@chromium.org
Project Member

Comment 25 by sheriffbot@chromium.org, Jun 6

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 26 by sheriffbot@chromium.org, Jun 6

Labels: -Merge-Request-68 Hotlist-Merge-Approved Merge-Approved-68
Your change meets the bar and is auto-approved for M68. Please go ahead and merge the CL to branch 3440 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 27 by bugdroid1@chromium.org, Jun 6

Labels: -merge-approved-68 merge-merged-3440
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/93d25b7e2449ca6fd7b1c3dc003f5bfce1495559

commit 93d25b7e2449ca6fd7b1c3dc003f5bfce1495559
Author: Raymond Toy <rtoy@chromium.org>
Date: Wed Jun 06 15:48:11 2018

Redirect should not circumvent same-origin restrictions

Check whether we have access to the audio data when the format is set.
At this point we have enough information to determine this. The old approach
based on when the src was changed was incorrect because at the point, we
only know the new src; none of the response headers have been read yet.

This new approach also removes the incorrect message reported in 619114.

Bug:  826552 ,  619114 
Change-Id: I95119b3a1e399c05d0fbd2da71f87967978efff6
Reviewed-on: https://chromium-review.googlesource.com/1069540
Commit-Queue: Raymond Toy <rtoy@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Hongchan Choi <hongchan@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#564313}(cherry picked from commit 761c75d2d607638ff53c764b4925bcca9be601d8)
Reviewed-on: https://chromium-review.googlesource.com/1089070
Reviewed-by: Raymond Toy <rtoy@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#210}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[add] https://crrev.com/93d25b7e2449ca6fd7b1c3dc003f5bfce1495559/third_party/WebKit/LayoutTests/http/tests/security/media-element-audio-source-node-redirect-expected.txt
[add] https://crrev.com/93d25b7e2449ca6fd7b1c3dc003f5bfce1495559/third_party/WebKit/LayoutTests/http/tests/security/media-element-audio-source-node-redirect.html
[modify] https://crrev.com/93d25b7e2449ca6fd7b1c3dc003f5bfce1495559/third_party/WebKit/LayoutTests/http/tests/security/resources/webaudio/media-element-audio-source-node-test.js
[modify] https://crrev.com/93d25b7e2449ca6fd7b1c3dc003f5bfce1495559/third_party/blink/renderer/modules/webaudio/base_audio_context.cc
[modify] https://crrev.com/93d25b7e2449ca6fd7b1c3dc003f5bfce1495559/third_party/blink/renderer/modules/webaudio/base_audio_context.h
[modify] https://crrev.com/93d25b7e2449ca6fd7b1c3dc003f5bfce1495559/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc
[modify] https://crrev.com/93d25b7e2449ca6fd7b1c3dc003f5bfce1495559/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.h

Just FYI, it's also possible to steal audio data of cross-origin video.

PoC: https://vuln.shhnjk.com/webvideo.html
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Nice one s.h.h.n.j.k@, $1,000 for this report!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M68
Labels: CVE-2018-6161 CVE_description-missing
Project Member

Comment 35 by sheriffbot@chromium.org, Sep 12

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment