New issue
Advanced search Search tips

Issue 839983 link

Starred by 1 user
Status: Fixed
Merged: issue 826552
Owner:
rtoy@chromium.org
Closed: Jun 2018
Cc:
ios-bugs-priority@chromium.org
ios-bugs@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 1
Type: Bug-Security



Sign in to add a comment

Cross-origin audio leak using Web Audio API

Reported by s.h.h.n....@gmail.com, May 4 2018 
Steps to reproduce the problem:
1. Go to https://vuln.shhnjk.com/ios_leaks.html
2. Play a sound on the left side.
3. Observe that Audio is stolen and playable via sound on the right side.

What is the expected behavior?
Cross-origin audio data should not leak.

What went wrong?
Per spec: https://webaudio.github.io/web-audio-api/#MediaElementAudioSourceOptions-security
"HTMLMediaElement allows the playback of cross-origin resources. Because Web Audio allows inspection of the content of the resource (e.g. using a MediaElementAudioSourceNode, and a ScriptProcessorNode to read the samples), information leakage can occur if scripts from one origin inspect the content of a resource from another origin.

To prevent this, a MediaElementAudioSourceNode MUST output silence instead of the normal output of the HTMLMediaElement if it has been created using an HTMLMediaElement for which the execution of the fetch algorithm labeled the resource as CORS-cross-origin."

But this isn't respected.

Did this work before? N/A 

Chrome version: 66.0.3359.122  Channel: stable
OS Version: 11.3.1
Flash Version: 

I've reported this to Webkit (https://bugs.webkit.org/show_bug.cgi?id=184866) :( What happens in this case?

Comment 1 by tsepez@chromium.org, May 7 2018

Components: Blink>WebAudio
Labels: M-67 Security_Severity-Medium Security_Impact-Stable

Comment 2 by tsepez@chromium.org, May 7 2018

Owner: kbr@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 3 by rtoy@chromium.org, May 7 2018

Mergedinto: 826552
Status: Duplicate (was: Assigned)

Comment 4 by s.h.h.n....@gmail.com, May 7 2018 

I don’t think this is a duplicate because:

1. This is a bug in WKWebView.
2. This doesn’t require a redirect.

Comment 5 by rtoy@chromium.org, May 7 2018

Status: Untriaged (was: Duplicate)
Oh, IOS.  That would be a webkit bug, not a Chrome bug because I think Chrome is required to use webkit.

Don't have an IOS device to test this on.

Undup'ing for now.
Project Member

Comment 6 by sheriffbot@chromium.org, May 8 2018

Labels: -Pri-2 Pri-1
Project Member

Comment 7 by sheriffbot@chromium.org, May 8 2018

Status: Assigned (was: Untriaged)

Comment 8 by kbr@chromium.org, May 9 2018

Owner: rtoy@chromium.org
Sorry, I can't own this.

Comment 9 by rtoy@chromium.org, May 9 2018 

Sorry, I meant to reassign this to me.

Comment 10 by rtoy@chromium.org, May 21 2018

Status: ExternalDependency (was: Assigned)
Depends on webkit fixing this for iOS.

Comment 11 by rtoy@chromium.org, Jun 5 2018

Status: Fixed (was: ExternalDependency)
https://trac.webkit.org/changeset/231513/webkit indicates that webkit bug 184866 has been fixed.  Don't know when this will actually roll out to users, but the fix has landed.

Closing this as fixed.
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 6 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 13 by awhalley@chromium.org, Jun 11 2018

Labels: reward-topanel
Project Member

Comment 14 by sheriffbot@chromium.org, Jun 12 2018

Labels: Merge-Request-68
Project Member

Comment 15 by sheriffbot@chromium.org, Jun 12 2018

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 16 by kariahda@chromium.org, Jun 13 2018 

I see sheriffbot added a merge-request. If Apple fixed the webkit issue, do we need any merge? Please remove if not.

Comment 17 by rtoy@chromium.org, Jun 13 2018 

I don't do any development of Chrome on iOS, so I don't really know, but I think there's nothing to do in chrome since the fix is in WebKit.

Comment 18 by awhalley@chromium.org, Jun 15 2018

Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 19 by awhalley@chromium.org, Jun 15 2018 

and $1,000 for this one, too - cheers!

Comment 20 by awhalley@chromium.org, Jun 15 2018

Labels: -reward-unpaid reward-inprocess

Comment 21 by kariahda@chromium.org, Jun 15 2018

Labels: -Hotlist-Merge-Review -Merge-Review-68
Thanks rtoy@. Removing merge request.
Project Member

Comment 22 by sheriffbot@chromium.org, Sep 13

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment