Fixed
Status Update
No update yet.
Comments
mp...@google.com
Repro'd on chrome 32 linux. A quick read of http://www.w3.org/TR/webaudio/ didn't turn up spec'd origin-related behaviour for createMediaElementSource(). This does seem like an major omission in the spec, since prior to the introduction of this feature, the data would have had to have been retrieved via XHR and subject to its restrictions.
Assigning to kbr@ per webaudio/OWNERS. We can fix the bug, but the spec needs to be fixed as well.
Assigning to kbr@ per webaudio/OWNERS. We can fix the bug, but the spec needs to be fixed as well.
ns...@chromium.org
[Empty comment from Monorail migration]
pe...@google.com
[Empty comment from Monorail migration]
pe...@google.com
Wrong label - Security_Impact-None. c#0 says it impacts stable.
ns...@chromium.org
[Empty comment from Monorail migration]
hc...@google.com
Fixing bug priority based on security_severity-* and releaseblock-* labels.
ke...@chromium.org
Regarding changes to the Web Audio Spec: it's fine for Web Audio to play cross-origin media. It's just not okay to allow readback of that data via OfflineAudioContext. I think the only mechanism that's needed is to detect whether a cross-origin source is connected to a graph whose destination is an OfflineAudioContext, or vice versa, and to throw an exception at that point to prevent the operation.
sp...@protonmail.com
Another mechanism that a similar information disclosure is available with is the a ScriptProcessor node (through AudioContext or OfflineAudioContext) as I wrote in https://crbug.com/chromium/313939#c0 .
AnalyzerNode may disclose some information as well, but I don't know if cross origin should be prevented.
AnalyzerNode may disclose some information as well, but I don't know if cross origin should be prevented.
ke...@chromium.org
ke...@chromium.org
* AnalyserNode that is.
mt...@chromium.org
Adding area label based on an intelligent guess!
- Your friendly ClusterFuzz
- Your friendly ClusterFuzz
ap...@google.com
Adding area label based on an intelligent guess!
- Your friendly ClusterFuzz
- Your friendly ClusterFuzz
sp...@protonmail.com
[Comment Deleted]
pe...@google.com
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!)
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!)
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
sp...@protonmail.com
I think I know how to solve this. Can someone provide a pointer if there's a function in Blink to determine if the origins are the same?
am...@chromium.org
@rtoy - SecurityOrigin::canAccess().
wf...@chromium.org
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
- Your friendly ClusterFuzz
sp...@google.com
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
am...@chromium.org
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
sp...@protonmail.com
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
sp...@protonmail.com
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
am...@chromium.org
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
am...@chromium.org
[Empty comment from Monorail migration]
ap...@google.com
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
sp...@protonmail.com
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
ag...@chromium.org
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
am...@chromium.org
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
am...@chromium.org
[Empty comment from Monorail migration]
sp...@protonmail.com
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
am...@chromium.org
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
pe...@google.com
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
sp...@protonmail.com
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
am...@chromium.org
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
sp...@protonmail.com
[Empty comment from Monorail migration]
am...@chromium.org
rtoy@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.
If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).
These nags can be disabled by adding a 'WIP' label and an optional codereview link.
- Your friendly ClusterFuzz
Description
Security Bug
Important: Please do not change the component of this bug manually.
Please READ THIS FAQ before filing a bug:https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/faq.md
Please see the following link for instructions on filing security bugs:https://www.chromium.org/Home/chromium-security/reporting-security-bugs
Reports may be eligible for reward payments under the Chrome VRP:https://g.co/chrome/vrp
NOTE: Security bugs are normally made public once a fix has been widely deployed.
VULNERABILITY DETAILS A vulnerability in Chrome mobile allows attackers to trigger fido:/ links, hijacking FIDO2 accounts by tricking victims into authenticating malicious requests, bypassing 2FA, and taking over accounts.
In Chrome mobile an attacker page can trigger navigation to a
fido:/link that was generated on a different origin for a webauthn authentication, this will trigger on the victim's mobile device the same passkey overlay requesting authentication as though they had scanned the QR code. This is becausefido:/URIs are treated as deep links by the base OS. This allows an adjacent network attacker to take over a victim's account (or bypass 2FA) for an RP where they have registered FIDO2 credentials on with the following steps.p.s. it was reviewed here:
VERSION Chrome Version: 129.0.6668.70 + stable Operating System: iOS and Android
REPRODUCTION CASE
fido:/out of the QR code, using a headless browserfido:/link is triggered in the victim's browserWhile the attack is similar to proxying a QR code directly and tricking the victim into scanning it an completing the authentication request, the attack complexity using the presented approach drops rapidly, this because it only requires the victim to be phished on only one device and breaks the security boundary of: "An RP's webauthn authentication request can only be started from approved origin".
I am not certain if this is an issue that should be addressed at a browser level or if the mobile OS should validate which applications are allowed to trigger a
fido:/deep-link. However I do not see the need from a browser perspective to be able to trigger such adeep-linkfrom any origin as that breaches a clear security boundary. I would love to hear your thoughts about this.PoC
The PoC can be simplified by simply decoding a webauthn QR code from a chromium based browser, embedding thehttps://nextcloud.mastersplinter.work/index.php/s/8MDPwR7RRBizJeY )
fido:/link in a page and then using a secondary device to visit that page and clicking on the link. (The program is not attached here as it was said not to include a zip file, so the entire source is available at this link:To better showcase this I have attached a Go program that automates the attack showcased. The program has the following dependencies:
imagemagicktools (used for grabbing the QR code from the headless browser popup)To reproduce the attack:
go run . -email {email used for victim account}A video demo is included as well, showcasing the victim's view on the bottom right.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace with symbols, registers, exception record] Client ID (if relevant): [see link above]
CREDIT INFORMATION Externally reported security bugs may appear in Chrome release notes. If this bug is included, how would you like to be credited? Reporter credit: mastersplinter