|
--hABqaeELJqnDDeDE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Chrome Password Manager Cross Origin Weakness
Release Date: 2010-02-15
Application: Google Chrome Web Browser
Versions: 4.0.249.78, 3.0.195.38, and likely earlier
Severity: Medium/Low
Author: Timothy D. Morgan
src="http://evil.example.com/image.png" />
This page should not be protected by any authentication and should be hosted
at:
http://victim.example.org/test-img.html
2. Set up an HTTP digest protected area under the following URL:
http://victim.example.org/private/
3. Set up the attacker's server to be protected by HTTP authentication such that
the following URL is protected:
http://evil.example.com/image.png
4. Use Google Chrome to log in to an area protected with HTTP authentication,
such as:
http://victim.example.org/private
Save the password in the password manager.
5. Finally, access the unauthenticated HTML page on the victim's server:
http://victim.example.org/test-img.html
Since the embedded image requires authentication, a password prompt should
appear. In vulnerable versions of Google Chrome, this form will be
pre-filled with the stored credentials from the victim.example.org domain,
even though the password prompt is generated by evil.example.com.
Versions Affected
-----------------
The issue was originally discovered in version 3.0.195.38 and was also verified
to exist in version 4.0.249.78. Testing was conducted on the Windows platform.
Vendor Response
---------------
The following timeline details Google's response to the reported issue:
2010-01-20 VSR submitted a security bug report [3]. Chromium development
team began researching the issue.
2010-01-21 VSR provided additional details on the test scenario. Chromium
developers successfully reproduced the issue and committed a fix
to the source repository [4].
2010-02-10 Chrome stable version 4.0.249.89 released which includes the fix.
2010-02-15 VSR advisory released.
Recommendation
--------------
Upgrade to the latest version of Google Chrome as soon as possible.
Users are advised to be wary of HTTP authentication prompts and to carefully
inspect the domains presented in these messages to see if they match the domain
of the expected site.
Common Vulnerabilities and Exposures (CVE) Information
------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2010-0556 to this issue. This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Acknowledgements
----------------
Thanks to the Chromium development team for the prompt response.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
References:
1. http://www.google.com/chrome/intl/en/features.html
2. http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html
3. http://code.google.com/p/chromium/issues/detail?id=32718
4. http://src.chromium.org/viewvc/chrome?view=rev&revision=36829
5. http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2010 Virtual Security Research, LLC. All rights reserved.
--hABqaeELJqnDDeDE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLerUaQ1RSUNR+T+gRAmMCAJ4mHKinpQzwuKD+j8ylcvFTHqdsKQCfd2Mb
0RcPgBpQrsd7cO/RXQHnD7w=pisv
-----END PGP SIGNATURE-----
--hABqaeELJqnDDeDE--