CVE-2015-1300 in Chrome
Summary
by MITRE
The FrameFetchContext::updateTimingInfoForIFrameNavigation function in core/loader/FrameFetchContext.cpp in Blink, as used in Google Chrome before 45.0.2454.85, does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to obtain sensitive information via crafted JavaScript code that leverages a history.back call.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/14/2022
The vulnerability CVE-2015-1300 represents a critical information disclosure flaw within the Blink rendering engine that powers Google Chrome and other Chromium-based browsers. This issue resides in the FrameFetchContext::updateTimingInfoForIFrameNavigation function located in core/loader/FrameFetchContext.cpp, where the implementation fails to properly enforce access controls for IFRAME Resource Timing API timing information. The vulnerability specifically affects versions of Chrome prior to 45.0.2454.85, making it a significant concern for users operating outdated browser versions.
The technical flaw stems from insufficient validation of IFRAME navigation timing data within the Resource Timing API framework. When a web page contains nested frames or iframes, the browser's Resource Timing API is designed to provide performance metrics for resource loading operations. However, this vulnerability allows malicious actors to exploit the timing information associated with IFRAME navigation operations through crafted JavaScript code. The exploitation becomes possible when attackers leverage the history.back() API call to manipulate the browser's navigation stack and subsequently access timing data that should normally be restricted.
The operational impact of this vulnerability is substantial as it enables remote attackers to gather sensitive timing information that could be used for various malicious purposes. An attacker could potentially reconstruct user navigation patterns, determine the sequence of visited pages, or infer information about user behavior and preferences by analyzing the timing data from IFRAME operations. This information disclosure could be particularly damaging in scenarios involving privacy-sensitive browsing or when users access confidential resources through browser-based applications. The vulnerability essentially allows attackers to perform timing-based reconnaissance that could lead to more sophisticated attacks or privacy violations.
The flaw aligns with CWE-200, which addresses "Information Exposure," and demonstrates how improper access control in web browser components can lead to information disclosure vulnerabilities. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1071.004 for Application Layer Protocol: DNS and T1566.002 for Phishing: Spearphishing Attachment, as attackers could use the timing information to craft more convincing social engineering attacks or to identify specific user behaviors for targeted exploitation. The vulnerability also connects to T1082 for System Information Discovery, as it provides additional system-level timing information that could be used for reconnaissance purposes.
The mitigation strategy involves updating to Chrome version 45.0.2454.85 or later, where the implementation properly restricts access to IFRAME Resource Timing API timing information. Additionally, browser vendors should implement strict access controls for timing data in cross-origin scenarios and ensure that navigation timing information is properly isolated between different browsing contexts. Users should maintain updated browser versions and avoid visiting untrusted websites that might exploit such vulnerabilities. Security researchers and developers should also consider implementing additional sandboxing measures for IFRAME content and review all timing-related APIs for proper access control enforcement to prevent similar information disclosure scenarios in the future.