CVE-2022-0806 in Edge
Summary
by MITRE • 04/05/2022
Data leak in Canvas in Google Chrome prior to 99.0.4844.51 allowed a remote attacker who convinced a user to engage in screen sharing to potentially leak cross-origin data via a crafted HTML page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/05/2022
This vulnerability represents a critical cross-origin data leakage issue within the Chrome browser's implementation of Canvas APIs, specifically affecting versions prior to 99.0.4844.51. The flaw exists in how Chrome handles screen sharing functionality and Canvas rendering operations when processing maliciously crafted HTML content. Attackers could exploit this vulnerability by convincing victims to participate in screen sharing sessions while simultaneously navigating to a specially designed webpage that leverages Canvas API manipulations. The technical mechanism involves improper sandboxing of Canvas contexts during screen sharing operations, allowing unauthorized access to pixel data from cross-origin resources that should normally be isolated. This issue maps directly to CWE-200, which addresses information exposure through improper access control, and specifically relates to the insecure handling of graphical rendering contexts in web browsers. The operational impact is significant as it enables attackers to potentially extract sensitive information from other websites during screen sharing sessions, bypassing standard cross-origin restrictions that typically protect user data. Attackers could harvest credentials, personal information, or confidential documents displayed on screen by exploiting the Canvas API's ability to read pixel data from rendered content. The vulnerability aligns with ATT&CK technique T1566, which covers social engineering tactics involving user interaction, and T1071.004, covering application layer protocol usage for data exfiltration. Browser vendors typically implement strict security boundaries around screen sharing APIs to prevent such leakage scenarios, but this flaw allowed bypassing those protections through Canvas manipulation. The exploit requires user interaction through screen sharing participation, making it particularly dangerous in collaborative environments where users might trust other participants. Organizations should immediately update to Chrome version 99.0.4844.51 or later, which includes patches addressing the improper Canvas context isolation during screen sharing operations. Additional mitigations include implementing strict content security policies and educating users about the risks of participating in untrusted screen sharing sessions. The vulnerability demonstrates the complexity of securing modern browser APIs where legitimate use cases like screen sharing intersect with potential attack vectors through Canvas-based data extraction techniques.