New issue
Advanced search Search tips

Issue 839983 link

Starred by 1 user

Issue metadata

Status: Fixed
Merged: issue 826552
Owner:
Closed: Jun 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 1
Type: Bug-Security



Sign in to add a comment

Cross-origin audio leak using Web Audio API

Reported by s.h.h.n....@gmail.com, May 4 2018

Issue description

Steps to reproduce the problem:
1. Go to https://vuln.shhnjk.com/ios_leaks.html
2. Play a sound on the left side.
3. Observe that Audio is stolen and playable via sound on the right side.

What is the expected behavior?
Cross-origin audio data should not leak.

What went wrong?
Per spec: https://webaudio.github.io/web-audio-api/#MediaElementAudioSourceOptions-security
"HTMLMediaElement allows the playback of cross-origin resources. Because Web Audio allows inspection of the content of the resource (e.g. using a MediaElementAudioSourceNode, and a ScriptProcessorNode to read the samples), information leakage can occur if scripts from one origin inspect the content of a resource from another origin.

To prevent this, a MediaElementAudioSourceNode MUST output silence instead of the normal output of the HTMLMediaElement if it has been created using an HTMLMediaElement for which the execution of the fetch algorithm labeled the resource as CORS-cross-origin."

But this isn't respected.

Did this work before? N/A 

Chrome version: 66.0.3359.122  Channel: stable
OS Version: 11.3.1
Flash Version: 

I've reported this to Webkit (https://bugs.webkit.org/show_bug.cgi?id=184866) :( What happens in this case?
 
Components: Blink>WebAudio
Labels: M-67 Security_Severity-Medium Security_Impact-Stable
Owner: kbr@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 3 by rtoy@chromium.org, May 7 2018

Mergedinto: 826552
Status: Duplicate (was: Assigned)
I don’t think this is a duplicate because:

1. This is a bug in WKWebView.
2. This doesn’t require a redirect.

Comment 5 by rtoy@chromium.org, May 7 2018

Status: Untriaged (was: Duplicate)
Oh, IOS.  That would be a webkit bug, not a Chrome bug because I think Chrome is required to use webkit.

Don't have an IOS device to test this on.

Undup'ing for now.
Project Member

Comment 6 by sheriffbot@chromium.org, May 8 2018

Labels: -Pri-2 Pri-1
Project Member

Comment 7 by sheriffbot@chromium.org, May 8 2018

Status: Assigned (was: Untriaged)

Comment 8 by kbr@chromium.org, May 9 2018

Owner: rtoy@chromium.org
Sorry, I can't own this.

Comment 9 by rtoy@chromium.org, May 9 2018

Sorry, I meant to reassign this to me.

Comment 10 by rtoy@chromium.org, May 21 2018

Status: ExternalDependency (was: Assigned)
Depends on webkit fixing this for iOS.

Comment 11 by rtoy@chromium.org, Jun 5 2018

Status: Fixed (was: ExternalDependency)
https://trac.webkit.org/changeset/231513/webkit indicates that webkit bug 184866 has been fixed.  Don't know when this will actually roll out to users, but the fix has landed.

Closing this as fixed.
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 6 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Project Member

Comment 14 by sheriffbot@chromium.org, Jun 12 2018

Labels: Merge-Request-68
Project Member

Comment 15 by sheriffbot@chromium.org, Jun 12 2018

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
I see sheriffbot added a merge-request. If Apple fixed the webkit issue, do we need any merge? Please remove if not.

Comment 17 by rtoy@chromium.org, Jun 13 2018

I don't do any development of Chrome on iOS, so I don't really know, but I think there's nothing to do in chrome since the fix is in WebKit.
Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
and $1,000 for this one, too - cheers!
Labels: -reward-unpaid reward-inprocess
Labels: -Hotlist-Merge-Review -Merge-Review-68
Thanks rtoy@. Removing merge request.
Project Member

Comment 22 by sheriffbot@chromium.org, Sep 13

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment