Closed Bug 764356 Opened 13 years ago Closed 13 years ago

WebGL exposes desktop window elements in canvas

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: posidron, Unassigned)

Details

(Keywords: sec-moderate, testcase)

Attachments

(4 files)

testcase
2.89 KB, text/html
Details
Screenshot: Windows/Text
100.68 KB, image/png
Details
Screenshot: Desktop wallpaper
118.73 KB, image/png
Details
Screenshot: content of a folder
89.70 KB, image/png
Details
Attached file testcase
I have noticed that during fuzzing the framebuffer methods that desktop elements of the underlying OS are exposed in the canvas. The content which is shown appears to be random after each reload of the page. Haven't looked more into this issue yet and am not certain whether it is possible to construct something which shows more than just fragments. Benoit mentioned that this is not intended and recommended to file a bug for this issue. Benoit, the testcase also includes an commented out block which uses readPixels() which produces the same effect.
Whiteboard: [sg:sec-low] → [sg:sec-moderate]
Keywords: sec-moderate
Whiteboard: [sg:sec-moderate]
This screenshot makes it a bit more clear where you can actually read the file names in the SourceTree application.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Can you elaborate on why you resolved as WORKSFORME? Is the bug not reproducible at all anymore? What was the about:support of systems where it reproduced? If reproducible, this is a good candidate for sg:high as it's about information leakage.
(Sorry that I didn't react to this sooner. Since the switch to no-bugmail-by-default-for-secure bugs, I've been missing a few sec bugs like that. Should configure my bugmail properly).
Note, this could be the same as bug 777457 which reproduced in Firefox 13 and "went away by itself" with the release of Firefox 14.
Correct, it is not reproducible anymore. I have demo'ed this last week on our security work week where it was still reproducible with a trunk build. Since ~Thursday last week I was unable to reproduce this behavior. I have tested it today again with a new build but it seems to be fixed for now. If this behavior pop's up again I will re-open this bug. System Information: MacBook Pro 2012 CPU: 2.6 Ghz i7 RAM: 16GB Vendor ID 0x10de Device ID 0xfd5 WebGL Renderer: NVIDIA GeForce GT 650M OpenGL Engine: 2.1 NVIDIA-8.0.51 GPU Accelerated Windows: 1/1 OpenGL ProductName: Mac OS X ProductVersion: 10.8 BuildVersion: 12A269
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: