New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Verified
Merged: issue 864286
Owner:
Closed: Jul 2018
Cc:
Components:
EstimatedDays: ----
NextAction: 2018-07-23
OS: Android
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 864283: Stealing cross-origin video pixel with HLS

Reported by s.h.h.n....@gmail.com, Jul 17 2018

Issue description

Steps to reproduce the problem:
1. Go to https://test.shhnjk.com/hls/steal.html
2. Play video on the top
3. Click on get image

What is the expected behavior?
Access to cross-origin video's pixel is denied

What went wrong?
Even though the video is loaded from https://test.shhnjk.com/hls/testa.m3u8, actual video data is requested from served from https://vuln.shhnjk.com/video.m3u8 which is cross-origin. But Chrome leaks initial video pixel to the page. This might be because same-origin check is happening with video URL but due to HLS architecture, that video file still allows loading cross-origin video.

Did this work before? N/A 

Chrome version: 67.0.3396.87  Channel: stable
OS Version: 6.0.1
Flash Version:
 

Comment 1 by dominickn@chromium.org, Jul 17 2018

Mergedinto: 864286
Status: Duplicate (was: Unconfirmed)

Comment 2 by dominickn@chromium.org, Jul 17 2018

Cc: dalecur...@chromium.org liber...@chromium.org
Components: Internals>Media>Video
Labels: Security_Severity-Medium Security_Impact-Stable
Owner: mlamouri@chromium.org
Status: Assigned (was: Duplicate)
D'oh, sorry about closing this - didn't see the "Android" tag as opposed to iOS.

+cc some media folks, can you follow up on this please?

Comment 3 by mlamouri@chromium.org, Jul 17 2018

Cc: mlamouri@chromium.org
Owner: tguilbert@chromium.org

Comment 4 by s.h.h.n....@gmail.com, Jul 17 2018

Here's a PoC to steal any frame of video. It will steal the video frame when you click on the get image button.

https://test.shhnjk.com/hls/blink_steal.html

Comment 5 by tguilbert@chromium.org, Jul 18 2018

Status: Started (was: Assigned)
dalecurtis@ suggested a fix offline. I will take a closer look and test things out tomorrow.

Comment 6 by sheriffbot@chromium.org, Jul 18 2018

Project Member
Labels: M-68 Target-68

Comment 7 by sheriffbot@chromium.org, Jul 18 2018

Project Member
Labels: -Pri-2 Pri-1

Comment 8 by bugdroid1@chromium.org, Jul 19 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/153f8457c7867d5c9b627c11b52f5de0671d2fff

commit 153f8457c7867d5c9b627c11b52f5de0671d2fff
Author: Thomas Guilbert <tguilbert@chromium.org>
Date: Thu Jul 19 05:03:58 2018

Fix HasSingleSecurityOrigin for HLS

HLS manifests can request segments from a different origin than the
original manifest's origin. We do not inspect HLS manifests within
Chromium, and instead delegate to Android's MediaPlayer. This means we
need to be conservative, and always assume segments might come from a
different origin. HasSingleSecurityOrigin should always return false
when decoding HLS.

Bug:  864283 
Change-Id: Ie16849ac6f29ae7eaa9caf342ad0509a226228ef
Reviewed-on: https://chromium-review.googlesource.com/1142691
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Dominick Ng <dominickn@chromium.org>
Commit-Queue: Thomas Guilbert <tguilbert@chromium.org>
Cr-Commit-Position: refs/heads/master@{#576378}
[modify] https://crrev.com/153f8457c7867d5c9b627c11b52f5de0671d2fff/media/blink/webmediaplayer_impl.cc
[modify] https://crrev.com/153f8457c7867d5c9b627c11b52f5de0671d2fff/media/blink/webmediaplayer_impl.h

Comment 9 by tguilbert@chromium.org, Jul 19 2018

NextAction: 2018-07-20
Status: Fixed (was: Started)
I will verify on Dev tomorrow

Comment 10 by monor...@bugs.chromium.org, Jul 20 2018

The NextAction date has arrived: 2018-07-20

Comment 11 by sheriffbot@chromium.org, Jul 20 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 12 by tguilbert@chromium.org, Jul 20 2018

NextAction: 2018-07-23
Canary doesn't have the patch yet. Snoozing till Monday

Comment 13 by awhalley@chromium.org, Jul 23 2018

Labels: reward-topanel

Comment 14 by monor...@bugs.chromium.org, Jul 23 2018

The NextAction date has arrived: 2018-07-23

Comment 15 by awhalley@google.com, Jul 23 2018

Labels: -M-68 M-69

Comment 16 by awhalley@google.com, Jul 23 2018

Labels: -Target-68 Target-69

Comment 17 by tguilbert@chromium.org, Jul 23 2018

Status: Verified (was: Fixed)
Verified on Canary 70.0.3498.0

Comment 18 by sheriffbot@chromium.org, Aug 3

Project Member
Labels: Merge-Request-69

Comment 19 by sheriffbot@chromium.org, Aug 3

Project Member
Labels: -Merge-Request-69 Merge-Review-69 Hotlist-Merge-Review
This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 20 by benmason@chromium.org, Aug 3

Labels: -Merge-Review-69 Merge-Approved-69

Comment 21 by dalecur...@chromium.org, Aug 4

Labels: -Hotlist-Merge-Review -Merge-Approved-69
This is already in the m69 branch, no action needed.

Comment 22 by awhalley@chromium.org, Aug 6

Labels: -reward-topanel reward-unpaid reward-4000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 23 by awhalley@chromium.org, Aug 6

Thanks again s.h.h.n.j.k@, $4,000 for this one.

Comment 24 by s.h.h.n....@gmail.com, Aug 6

Great! Thanks!

Comment 25 by awhalley@chromium.org, Aug 6

Labels: -reward-unpaid reward-inprocess

Comment 26 by awhalley@google.com, Aug 16

Labels: Release-0-M69

Comment 27 by awhalley@chromium.org, Sep 4

Labels: CVE-2018-16072 CVE_description-missing

Comment 28 by awhalley@chromium.org, Jan 4

Labels: -CVE_description-missing CVE_description-submitted

Comment 29 by awhalley@google.com, Jan 8

Labels: -Restrict-View-SecurityNotify allpublic

Sign in to add a comment