Issue metadata
Sign in to add a comment
|
Stealing cross-origin video pixel with HLS
Reported by
s.h.h.n....@gmail.com,
Jul 17
|
||||||||||||||||||||||
Issue descriptionSteps to reproduce the problem: 1. Go to https://test.shhnjk.com/hls/steal.html 2. Play video on the top 3. Click on get image What is the expected behavior? Access to cross-origin video's pixel is denied What went wrong? Even though the video is loaded from https://test.shhnjk.com/hls/testa.m3u8, actual video data is requested from served from https://vuln.shhnjk.com/video.m3u8 which is cross-origin. But Chrome leaks initial video pixel to the page. This might be because same-origin check is happening with video URL but due to HLS architecture, that video file still allows loading cross-origin video. Did this work before? N/A Chrome version: 67.0.3396.87 Channel: stable OS Version: 6.0.1 Flash Version:
,
Jul 17
D'oh, sorry about closing this - didn't see the "Android" tag as opposed to iOS. +cc some media folks, can you follow up on this please?
,
Jul 17
,
Jul 17
Here's a PoC to steal any frame of video. It will steal the video frame when you click on the get image button. https://test.shhnjk.com/hls/blink_steal.html
,
Jul 18
dalecurtis@ suggested a fix offline. I will take a closer look and test things out tomorrow.
,
Jul 18
,
Jul 18
,
Jul 19
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/153f8457c7867d5c9b627c11b52f5de0671d2fff commit 153f8457c7867d5c9b627c11b52f5de0671d2fff Author: Thomas Guilbert <tguilbert@chromium.org> Date: Thu Jul 19 05:03:58 2018 Fix HasSingleSecurityOrigin for HLS HLS manifests can request segments from a different origin than the original manifest's origin. We do not inspect HLS manifests within Chromium, and instead delegate to Android's MediaPlayer. This means we need to be conservative, and always assume segments might come from a different origin. HasSingleSecurityOrigin should always return false when decoding HLS. Bug: 864283 Change-Id: Ie16849ac6f29ae7eaa9caf342ad0509a226228ef Reviewed-on: https://chromium-review.googlesource.com/1142691 Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Reviewed-by: Dominick Ng <dominickn@chromium.org> Commit-Queue: Thomas Guilbert <tguilbert@chromium.org> Cr-Commit-Position: refs/heads/master@{#576378} [modify] https://crrev.com/153f8457c7867d5c9b627c11b52f5de0671d2fff/media/blink/webmediaplayer_impl.cc [modify] https://crrev.com/153f8457c7867d5c9b627c11b52f5de0671d2fff/media/blink/webmediaplayer_impl.h
,
Jul 19
I will verify on Dev tomorrow
,
Jul 20
The NextAction date has arrived: 2018-07-20
,
Jul 20
,
Jul 20
Canary doesn't have the patch yet. Snoozing till Monday
,
Jul 23
,
Jul 23
The NextAction date has arrived: 2018-07-23
,
Jul 23
,
Jul 23
,
Jul 23
Verified on Canary 70.0.3498.0
,
Aug 3
,
Aug 3
This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 3
,
Aug 4
This is already in the m69 branch, no action needed.
,
Aug 6
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Aug 6
Thanks again s.h.h.n.j.k@, $4,000 for this one.
,
Aug 6
Great! Thanks!
,
Aug 6
,
Aug 16
,
Sep 4
,
Jan 4
,
Jan 8
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Jul 17Status: Duplicate (was: Unconfirmed)