6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
51.4%
CVSS score: 8.1 / High / CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Embargo notice: Do Not Disclose publicly until https://crbug.com/1083819 is disclosed.
Twitter for Android is affected by a UXSS vulnerability due to its configuration of Android WebView and CVE-2020-6506.
Vendor mitigation is recommended to protect unpatched WebView users, due to its impact and ease of exploitation. Mitigation options which minimize breaking changes are provided for various use cases.
Android WebView is the system component which allows Android apps to display web pages. Apps typically use Android WebView directly or via frameworks/libraries.
CVE-2020-6506 is a universal cross-site scripting (UXSS) vulnerability in Android WebView which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects vendors which use Android WebView with a default configuration setting, and run on systems with Android WebView version prior to 83.0.4103.106.
All relevant details to understand and mitigate the vulnerability should be in this report. As an affected vendor, you may request access to the restricted crbug for full details and discussion, subject to acceptance by the Chromium Security Team. To request access, send me an email.
Embargo notice: Do Not Disclose publicly until https://crbug.com/1083819 is disclosed.
An Android WebView instance with WebSettings.setSupportMultipleWindows() kept at default or set to false allows an iframe on a different origin bypass same-origin policies and execute arbitrary JavaScript in the top document.
To perform the attack, an iframe can call window.open() with a javascript: URL. Other methods of opening a new window, such as a link with target=β_blankβ and href=βjavascript:β¦β, can also be used to perform the attack.
Performing the attack requires a single user interaction (a tap/click or a keypress). The malicious iframe does not need to be visible, and can obtain the keypress interaction while a user attempts to type in the top-level document (no direct iframe interaction required).
The patched version of Android WebView (83.0.4103.106) was released on Monday, June 15th, 2020: https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_15.html
Vendors can and should mitigate CVE-2020-6506 to protect their users using unpatched Android WebView versions.
Twitter for Android uses WebViews to render the URL in Video Website Cards. This type of Card uses the vulnerable WebView configuration, therefore thereβs two ways a user can reach the vulnerable WebView:
If the advertiser/target URL has a malicious or compromised iframe, the iframe can perform the UXSS attack with minimal user interaction (tap/click or keypress). If thereβs sensitive data in the WebView, it is vulnerable to exfiltration. Page contents and data can also be altered to benefit the attacker, such as requesting sensitive info from the user while purporting to be the advertiser/target URL.
Based on Twitterβs use case, the suggested solution is option 1a or 1b. The final determination is left to the vendor. Reference implementations for each option is available by request.
If none of these options appear suitable, please provide feedback to address concerns. Other vendors could have the same concerns, so your input is appreciated to best mitigate for all affected vendors.
Vendors generally have two choices to mitigate for unpatched WebView users:
Detailed choices:
Option 1a: Enable multiwindow support, and create a new tab in UI or block window creation.
Option 1b: Enable multiwindow support, and mimic single-window behavior via WebView instance replacement.
Option 1c: Enable multiwindow support, and mimic single-window behavior via WebView instance reuse.
Option 2: Keep multiwindow support disabled, and enforce strict origin allowlist.
Adjacent phishing mitigation: If the current page URL is not guaranteed to be shown to the user, origin allowlists are recommended to mitigate phishing risks. This is an adjacent vulnerability, but itβs a good opportunity to mitigate it because URL filtering is likely to be implemented as part of the UXSS mitigation.
Additional implementation details for options 1a and 1b: When using multiple WebView instances simultaneously, ensure to destroy the background WebView, unload the background page, or handle background page events safely. Otherwise, background pages can perform actions which should only be allowed by a foreground page, which often cause other security issues.
Device: Samsung Galaxy S10 + Emulated Android device
OS version: Android 10 (on both devices)
Twitter version: 8.50.0-release.02
Expected Behavior:
JavaScript is not executed in top-level document. HTML is not written to top-level document and JS alert dialog is not shown (or a JS alert dialog is shown but with info from iframe document).
Observed Behavior:
JavaScript is executed in top-level document. HTML is written to top-level document, and if the WebView allows JS alert dialogs, a JS alert dialog is also shown with info from top-level document.
Embargo notice: Do Not Disclose publicly until https://crbug.com/1083819 is disclosed.
A malicious iframe on any page within the vulnerable WebView can perform a UXSS attack on the top-level document with minimal user interaction.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
51.4%