Security: setTimeout Circumvents Deferred Clipboard Access Protection
Reported by
chriswbe...@gmail.com,
Sep 8
|
||||
Issue descriptionVULNERABILITY DETAILS This attack exploits setTimeout to read data from a deferred reply (such as by Axios or any other promise-driven HTTP client) and inject it into the clipboard. Normally actions like this will be blocked by browser security policy. For reference, this issue is blocked in Firefox and the attack will not work. VERSION Chrome Version: [69.0.3497.81] + [stable] Operating System: [OSX 10.11.6 El Capitan] REPRODUCTION CASE Please see attached file and click "Exploit Me" - thanks for your time.
,
Sep 9
Actually, sorry, I was wrong--the setTimeout does not work past 1 second (i.e. setTimeout(poll, 1005) does not allow copying to the clipboard). This is in line with our current user gesture timeout mechanism, so I'm going to close this as WontFix. Feel free to post again if you disagree.
,
Sep 10
The only reason I would disagree is if by chaining setTimeouts in the above manner allows subsequent timeout events to execute past 1000ms. It does look like it behaves this way on my system when I set my dev tools to Slow 3G. Well, that, and I like money. Thanks for your time either way.
,
Sep 11
Chrome doesn't allow user gesture token propagation through setTimeout chaining beyond depth 1. We know this is not ideal from chaining perspective, but this prevents token abuse like this.
,
Dec 17
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 17
|
||||
►
Sign in to add a comment |
||||
Comment 1 by mpdenton@google.com
, Sep 9Components: Blink>Input
Labels: Security_Severity-Medium Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Owner: mustaq@chromium.org
Status: Assigned (was: Unconfirmed)