Security: SpeechSynthesisEvent exposes high-resolution timestamps
Reported by
mds...@gmail.com,
May 17 2018
|
||||||||||
Issue descriptionVULNERABILITY DETAILS SpeechSynthesisEvent#elapsedTime is specified to return the elapsed time in seconds since the associated SpeechSynthesisUtterance began playing to the user. Chrome instead returns the elapsed time in milliseconds. Moreover, SpeechSynthesis::StartSpeakingImmediately and SpeechSynthesis::FireEvent (blink/renderer/modules/speech/speech_synthesis.cc) draw the timestamps used to calculate the elapsed time value from CurrentTimeInSeconds, which returns a raw OS timestamp that bypasses the degradation of resolution applied to performance.now() post-Meltdown/Spectre. We have been able to observe timing precision of 5-7 microseconds via this route (vs the 20 microseconds exposed via performance.now). Ideally, Chrome would have one designated API for obtaining a user-safe timestamp value, instead of applying the necessary filtering ad-hoc at the performance.now() API boundary. VERSION Chrome Version: 66.0.3359.181 stable Operating System: Windows 10 Pro Version 1709 (OS Build 16299.371) REPRODUCTION CASE `demo.html` compares time intervals extracted from the Web Speech API with ones obtained via performance.now()
,
May 17 2018
Labeling low-severity as high-resolution timers aren't something that is exploitable on their own but are useful as part of timing-based attacks. katie@ could you please take a look at this or suggest someone more suitable?
,
May 18 2018
,
May 18 2018
,
May 25 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cd32918faafeb42a02f6d47c41741cc11f43226d commit cd32918faafeb42a02f6d47c41741cc11f43226d Author: Katie D <katie@chromium.org> Date: Fri May 25 19:52:44 2018 Use web-safe timestamps in window.speechSynthesis. Tested to ensure that the values are the same magnitude as before the change. Bug: 844195 Change-Id: I8f884e1535037741bc34186edcfb80ac3f96a2bd Reviewed-on: https://chromium-review.googlesource.com/1066225 Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org> Reviewed-by: Jonathan Metzman <metzman@chromium.org> Commit-Queue: Katie Dektar <katie@chromium.org> Cr-Commit-Position: refs/heads/master@{#561982} [modify] https://crrev.com/cd32918faafeb42a02f6d47c41741cc11f43226d/third_party/blink/renderer/modules/speech/speech_synthesis.cc [modify] https://crrev.com/cd32918faafeb42a02f6d47c41741cc11f43226d/third_party/blink/renderer/modules/speech/speech_synthesis.h
,
May 25 2018
,
May 26 2018
,
May 29 2018
,
Jun 29 2018
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Jun 29 2018
Thanks for the report, mdsmtp@. The VRP panel decided to award $500 for this. Cheers!
,
Jun 29 2018
,
Sep 1
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by elawrence@chromium.org
, May 17 2018Cc: palmer@chromium.org