CVE-2022-0806 Canvas data leak allowed remote attackers to potentially leak cross-origin data if a user becomes a screen-sharer.

CVE-2022-0806 Canvas data leak allowed remote attackers to potentially leak cross-origin data if a user becomes a screen-sharer.

This issue was addressed by forbidding cross-origin data sharing by default. Screen sharing with untrusted sites was previously possible in Google Chrome. This issue was addressed by changing the screen sharing default to disallow untrusted sites.

was an issue in Google Chrome that allowed remote attackers to bypass the Same Origin Policy via a screen share request.
In this issue, user input passed in to a web site was not sanitized before being used in screen sharing. This issue was addressed by sanitizing user input before using it in screen sharing.

In September 2017, a security researcher reported a flaw in Chrome’s screen sharing that could be used by remote attackers to steal sensitive information from targeted users.
In this issue, Google Chrome did not enforce Same Origin Policy for HTML elements when using screen sharing. This issue was addressed by enforcing Same Origin Policy for HTML elements when using screen sharing.

A security researcher reported a cross-site scripting (XSS) flaw in Google Chrome that could cause information from a user’s computer to be sent to malicious websites when using the screen sharing feature.
This issue was addressed by fixing XSS issues in Google Chrome.

In September 2017, a security researcher reported a privilege escalation flaw in Google Chrome’s screen sharing that could be used by malicious websites to cause a user’s PC to execute code with elevated privileges

How does Google Chrome protect users from this?

In this issue, Google Chrome did not sanitize the user input when using screen sharing. This issue was addressed by sanitizing user input before using it in screen sharing.

In September 2017, a security researcher reported a flaw in Chrome’s screen sharing that could be used by remote attackers to steal sensitive information from targeted users.
This issue was addressed by enforcing Same Origin Policy for HTML elements when using screen sharing.

Google Chrome’s WebRTC flaw

In this issue, Google Chrome did not properly validate the origin of a permission request before granting it. This issue was addressed by validating permissions requests before granting them.

In September 2017, a security researcher reported a flaw in Google Chrome’s browser extension model that could be used by remote attackers to steal sensitive information from targeted users.
This issue was addressed by fixing XSS issues in Google Chrome’s browser extension model.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe