Responsible Disclosure: Chrome security bug let tabs draw over each other ($1k bounty)

Chrome for Android had a flaw which let one tab draw over another - even if the tabs were on completely different domains. A determined attacker might have been able to abuse this to convince a user to download and installed a spoofed app.

See Chrome Bug #1242315 for details.

Demo

Here's a video of me on one site (Twistory.ml) opening a link to Twitter in a new tab. Twitter's mobile site contains a Web Manifest which should prompt the user to install an app. Rather than displaying this pop-up on Twitter's tab, Chrome displays it over the unrelated tab.

Why this is a problem

Here's a (somewhat unlikely) scenario.

You're on, for example, Reddit's website and see an interesting looking link to an external site. You open it in a new tab. All of a sudden, a pop-up appears saying "Reddit is better in the app! Click to download!!"

You download it. Unbeknownst to you, the pop-up was from the external site. They saw your referer header and automatically crafted a manifest file which sends you to a malicious copy-cat app. That app steals your password for Reddit, clones your identity, and kills your puppy.

Google's response

I was expecting Google to close this as WONTFIX. In my experience, Google's attitude to lots of bugs is the same as Steve Job's infamous "You're holding it wrong". Blame the user for not understanding how Google's poorly-tested and confusing products work.

But, to be fair, it was taken seriously. I didn't have to provide any extra detail and, while it was low severity, it was fixed promptly. Kudos!

Then came the agonising wait to see whether Google would pay out millions of dollars for this flaw...

Bounty

For UI bugs like this, Google tends to award $500 - see 1136714, 1133183, and 841622. Although if you can draw over the security UI, the rewards are much higher.

So I was pleasantly surprised to win a US$1,000 bounty!

Perhaps I could have sold it on the DarkWeb™ for digital Beanie Babies totally legitimate crypto-currency? Nah. Too much hassle! I'm going to plough the money into our OpenBenches project.

Timeline

• 2021-08-23 Discovered and disclosed. Within a few hours it was accepted, and triaged. With the (fair) comment that "This doesn't look very scary to me."
• 2021-08-26 Marked as fixed by this commit
• 2021-08-27 Further patches for related issue
• 2021-09-28 Given a gentle nudge, the Reward Panel offered $1k.
• 2021-10-08 After an annoying amount of back-and-forth, Google accepted my registration on their supplier platform. The cause of the delay? I used the W8 form from the IRS.gov site - and Google wanted me to use an older one 🙄
• 2021-11-01 After signing up on their supplier payment platform and jumping through yet more hoops, US$992.50 was deposited in my TransferWise account. Where's the missing $7.50? TransferWise fees? Plus, obviously, a fee to transfer it to GBP and then out to my normal bank account. After all the conversion and fees, it came to £722.64. Quite why the international behemoth Google can't pay in a local currency, I've no idea.
• 2021-12-03 Bug report set to public.
• 2021-12-04 Blog post published.