This also happens when casting the screen,

Over to Elijah as well. We should consider blacking out the window during screenshots.

Info leaks are usually considered medium severity bugs.

Seems like child views/popups are not inheriting the FLAG_SECURE param, but they probably should.  Stefan, can we find someone to fix this?

+lpique in case there is something we want to do at the compositing layer instead

skuhne: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

skuhne: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

re-assigning to xutan@ and cc-ing phshah@ during skuhne@'s absence.

That's a shame that this vuln is left unattended for almost 2 months...

There is a quick mitigation that covers 95% cases, but the way Android code constructs makes it hard to completely fix it especially when we want to upstream a fix for it in future releases.

These menus are sub-windows to the Activity window and they didn't inherit FLAG_SECURE param as Elijah pointed out above, so the fix is to simply inherit that param.

It's easy to cover the case when the the sub-window is created after FLAG_SECURE is set, but hard if the flag is set after the sub-window is already created, because there is not yet a mapping from parent window to sub-windows. We certainly can create such a mapping, but IMO that's too much effort for too little benefit, because sub-windows are usually transient and setting the flag after a sub-window is shown is rare (unless that's toggled by a menu item, but then the menu will disappear when the flag is set so it doesn't belong to this case either).

Let me know if anyone feels strongly against not covering the rest rare cases.

Note app devs could always set the flag before showing any sub-windows to protect content in sub-windows.

Made a buganizer bug at b/112324956 for reference in CL. Please don't comment on that bug.

This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

For context on the CLs that are to be merged to the 69 branch, it's just a very low risk three-liner: http://ag/4710992

Filed b/112428307 for upstream work.

M68 is already in staged stable release phase so we can't make it into M68. M69 already has this fix in its branch now.

Sending this over to the Android VRP to take a look.

Per #24, no merge approval required. Removing merge-request label.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot