New issue
Advanced search Search tips

Issue 855377 link

Starred by 1 user
Status: Unconfirmed
Owner: ----
Cc:
vamshi.kommuri@chromium.org
phanindra.mandapaka@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

Exfiltrating data from the browser using battery discharge information

Reported by stu...@anchev.net, Jun 22 2018 
Chrome Version       : 67.0.3396.62
OS Version: 
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari:
    Firefox: OK (according to the article)
    IE/Edge:

What steps will reproduce the problem?
A recently published article suggests that Chrome is vulnerable to specifically designed battery attack through the W3C Battery Status API resulting in possibility of a website to exfiltrate data to the attacker:

https://freedom-to-tinker.com/2018/06/20/exfiltrating-data-from-the-browser-using-battery-discharge-information/


What is the expected result?
Chrome should be designed in a way which does not allow such attacks.

What happens instead of that?
The article suggest that Chrome is vulnerable.

Please provide any additional information below. Attach a screenshot if
possible.

I am adding Android as OS but perhaps it is a general issue. Not sure how to file properly such bug report. The purpose is to get this to the attention of the right people who can fix it.

Comment 1 by krajshree@chromium.org, Jun 24 2018

Labels: Needs-Triage-M67

Comment 2 by phanindra.mandapaka@chromium.org, Jun 25 2018

Cc: phanindra.mandapaka@chromium.org
Components: Blink
Labels: Needs-Feedback Triaged-ET
Thanks for filling the issue...

@Reporter: Could you please provide proper steps to reproduce the issue form our end and if possible provide screen-cast for better triaging this.

Thanks.!

Comment 3 by stu...@anchev.net, Jun 25 2018 

Of course not. I don't have a device with a hacked battery (fortunately).

This is something that needs in-depth research. I am reporting this because it seems quite a serious security issue. For more details you could probably contact the authors of the article.
Project Member

Comment 4 by sheriffbot@chromium.org, Jun 25 2018

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by vamshi.kommuri@chromium.org, Jun 26 2018

Cc: vamshi.kommuri@chromium.org
Components: Security
Labels: TE-NeedsTriageHelp
As per comment#0 and #3 this issue seems to be out of scope for us to triage it from our end hence adding label "TE-NeedsTriageHelp" and requesting someone from DevTeam to have a look into this and help in further triaging it.
Note: Tentatively adding component "Security" please change if this isn't apt.

Thanks!

Comment 6 by chrishtr@chromium.org, Jun 30 2018

Components: -Blink

Sign in to add a comment