Status Update
No update yet.
Comments
ze...@google.com
ap...@google.com
Similar issue, see:
ap...@google.com
Thanks for the report!
After turning on full keyboard access in the macOS Accessibility settings I was able to successfully reproduce on my large monitor -- however, the popup window and permission prompt are visible, just way off to the side and maybe easy to miss (see attached screenshot). When I try on my smaller laptop display, this no longer reproduces for me. Full keyboard access on macOS shows outlines for the element that is under focus, so I can see that the keyboard input is still controlling focus on the permission prompt which does seem to indicate that this is maybe possible, but maybe the occlusion checking is working and disabling submitting the "allow" decision while occluded?
Are there setup steps I'm missing here? Or is this maybe platform specific to Windows? I can quick try on Linux as well.
ap...@google.com
Increasing the left and top values can completely hide it. I used the minimum left and top values to hide it on my PC. You can try changing them, or maybe use left=1500 and top=1500.
ap...@google.com
If possible, could you try this on a Windows machine. My PoC is based on (made for) Windows 11 OS.
ap...@google.com
It appears that focus goes back to the PiP window and/or the focus in the permission popup resets to the first element (so not Allow), breaking the PoC on macOS. I'll spin back up my Windows VM to test there as I do expect this may be platform dependent.
ap...@google.com
Ah hmm I can't test in my VM because it doesn't have a camera device so the permission request just fails.
Routing this to PiP and permissions folks from
Setting some security labels:
- Severity-Medium (S2) hidden interaction with permissions prompt (spoofing) but with significant user interaction required
- OS: Seems likely to be triggerable with some modifications on all Desktop platforms
- FoundIn-128
ap...@google.com
ap...@google.com
Ah excellent, with that flag I can confirm I can repro on Windows Canary M130, with chrome://flags#one-time-permission enabled and passing --use-fake-device-for-media-stream on the command line.
ap...@google.com
Setting milestone because of s2 severity.
ap...@google.com
Setting Priority to P1 to match Severity s2. If this is incorrect, please reset the priority. The automation bot account won't make this change again.
ap...@google.com
Or is there an alternative solution you think we should consider?
ap...@google.com
[1]
ap...@google.com
Branch: main
commit 4fcc965f7b6a9aa9965bc84e0a180eda77a20467
Author: Tommy Steimel <steimel@chromium.org>
Date: Thu Sep 12 13:25:16 2024
pip occlusion: Prevent immediate interaction after unocclusion
We currently prevent input into a permission prompt while it's occluded
by a picture-in-picture window. However, some spoofs can still happen
immediately after a prompt because unoccluded.
This CL prevents permission dialogs from being interacted with
immediately after they're no longer occluded by a picture-in-picture
window.
Bug: 364508693
Change-Id: Ib52d1af8bc5216a50a089e319dea31f0bab108c1
Reviewed-on:
Commit-Queue: Tommy Steimel <steimel@chromium.org>
Reviewed-by: Elias Klim <elklm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1354501}
M chrome/browser/ui/views/permissions/permission_prompt_base_view.cc
ap...@google.com
Hello,
Congratulations! The Chrome Vulnerability Rewards Program (VRP) Panel has decided to award you $1000.00 for this report.
Rationale for this decision:
report of lower impact web platform privilege escalation / security UI bug
Important: If you aren't already registered with Google as a supplier, p2p-vrp@google.com will reach out to you. If you have registered in the past, no need to repeat the process – you can sit back and relax, and we will process the payment soon.
If you have any payment related requests, please direct them to p2p-vrp@google.com. Please remember to include the subject of this email and the email address that the report was sent from.
Thank you for your efforts and helping us make Chrome more secure for all users!
Cheers,
Chrome VRP Panel Bot
P.S. One other thing we'd like to mention:
* Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Please contact security-vrp@chromium.org with any questions.
ap...@google.com
Congratulations Shaheen! While the permissions dialog is pretty well hidden from the user here, there are very high user interaction preconditions required here, as such we consider this a lower impact issue. We appreciate the efforts and reporting this issue to us!
ap...@google.com
This bug has been closed for more than 14 weeks. Removing issue access restrictions.
ap...@google.com
Branch: master
commit 02178628ee0fcac7870dcb7959bf652275b81475
Author: Ian Zerny <zerny@google.com>
Date: Fri Sep 27 09:58:28 2019
Directly report compatibility edges and remove rule building.
Bug: 141729349
Bug: 120959039
Bug: 69445518
Change-Id: I67551162e6949841d1460790debc471ca92ce3ab
M src/main/java/com/android/tools/r8/CompatProguardCommandBuilder.java
M src/main/java/com/android/tools/r8/R8.java
M src/main/java/com/android/tools/r8/R8Command.java
M src/main/java/com/android/tools/r8/shaking/AnnotationRemover.java
M src/main/java/com/android/tools/r8/shaking/Enqueuer.java
M src/main/java/com/android/tools/r8/shaking/EnqueuerFactory.java
M src/main/java/com/android/tools/r8/shaking/KeepReason.java
M src/main/java/com/android/tools/r8/shaking/ProguardKeepAttributes.java
M src/main/java/com/android/tools/r8/utils/InternalOptions.java
M src/test/java/com/android/tools/r8/R8CompatTestBuilder.java
M src/test/java/com/android/tools/r8/shaking/forceproguardcompatibility/ForceProguardCompatibilityTest.java
M src/test/java/com/android/tools/r8/utils/graphinspector/GraphInspector.java
ap...@google.com
Branch: master
commit 7ce317f5a196a3e4e7563dc245e28547a1dc4db8
Author: Ian Zerny <zerny@google.com>
Date: Wed Oct 09 10:22:02 2019
Introduce a "reported set" and prepare to split reasons from witness.
Bug: 120959039
Change-Id: I512ae6e9de917bdfa90eef8202049786885697b2
M src/main/java/com/android/tools/r8/shaking/Enqueuer.java
M src/main/java/com/android/tools/r8/shaking/GraphReporter.java
M src/main/java/com/android/tools/r8/shaking/KeepReason.java
Description