Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone] webtorrent redirect #32856

Closed
diracdeltas opened this issue Sep 7, 2023 · 9 comments · Fixed by brave/brave-core#20062
Closed

[hackerone] webtorrent redirect #32856

diracdeltas opened this issue Sep 7, 2023 · 9 comments · Fixed by brave/brave-core#20062
Assignees
@fallaciousreasoning
Labels
OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Test-Plan-Specified QA/Yes release-notes/include security
Milestone
1.60.x - Release

Comments

@diracdeltas
Copy link
Member

https://hackerone.com/reports/2139022 credit xiaoyinl
@diracdeltas diracdeltas added OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. labels Sep 7, 2023
@fallaciousreasoning fallaciousreasoning mentioned this issue Sep 8, 2023
Merged
25 tasks
@brave-builds brave-builds added this to the 1.60.x - Nightly milestone Sep 14, 2023
@LaurenWags
Copy link
Member

@fallaciousreasoning could we get a test plan for this one?

Marking as QA/Blocked for now 👍🏻

@diracdeltas
Copy link
Member Author

@LaurenWags i think it's ok to share the QA plan here since the risk (which is just phishing) is pretty low

  1. Enable webtorrent
  2. Go to chrome-extension://lgjmpdmojkpocjcopdikifhejkkjglho/extension/brave_webtorrent.html?https://www.microsoft.com/en-us/OperatingSystem/windows/updates/user/warnings/this/appears/to/be/a/legit/microsoft/user/warning/a/long/url/path/is/needed/so/that/users/do/not/see/the/message/is/in/url/itself/Warning:Call+1-206-555-0190!Right!Now!Your!Computer!Is!Very!Outdated!!!--@Microsoft--You!Must!Call!Us!Right!Now!Otherwise!Hackers!Will!Control!Your!Computer.torrent
  3. Make sure you see webtorrent: at the start of the URL in the url bar

@LaurenWags
Copy link
Member

that's great, thanks @diracdeltas 👍🏻

@fallaciousreasoning
Copy link

fallaciousreasoning commented Oct 8, 2023
edited
Loading

Sorry @LaurenWags - I updated the PR with a test plan (it's basically the same as @diracdeltas though)

@LaurenWags LaurenWags added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Oct 9, 2023
@LaurenWags
Copy link
Member

LaurenWags commented Oct 9, 2023
edited
Loading

Verified with

Brave | 1.60.81 Chromium: 118.0.5993.54 (Official Build) beta (x86_64)
-- | --
Revision | 1efb3f333eb41cc34af46ca31fb33c30e0afbfae
OS | macOS Version 13.6 (Build 22G120)

Encountered #33524 when using dark theme, so used light theme to verify this issue.

Scenario 1:

Verified test plan from brave/brave-core#20062 (comment).
Confirmed webtorrent: is the prefix for the URL when loading a .torrent file.
Confirmed magnet: is the prefix for the URL when loading a .magnet file per comments below.

Torrent Magnet
1 2

Scenario 2:
Verified test plan from #32856 (comment).
Reproduced the issue with 1.58.137.
Confirmed webtorrent: was prefix in URL when using STR and 1.60.81.

1.58.137 1.60.81
a b

@LaurenWags
Copy link
Member

@fallaciousreasoning when loading a magnet URL from https://webtorrent.io/free-torrents per brave/brave-core#20062 (comment), the prefix in the URL bar isn't webtorrent: it's magnet: which matches 1.58.137 (current release version).

Should it have been changed to webtorrent: with this issue?

1.58.137 1.60.81
1 58 1 60

@fallaciousreasoning
Copy link

No that's fine. Sorry, my bad :)

@LaurenWags LaurenWags added QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Oct 9, 2023
@MadhaviSeelam
Copy link

MadhaviSeelam commented Oct 12, 2023
edited
Loading

Verification PASSED using

Brave | 1.60.88 Chromium: 118.0.5993.70 (Official Build) beta (64-bit)
-- | --
Revision | ff9150ac5dd9934a7f431ddf478ad3e45ae68546
OS | Windows 11 Version 22H2 (Build 22621.2428)

Encountered #33524 when using dark theme, so used light theme to verify this issue.

Scenario 1:

Torrent Magnet
image image

Scenario 2:

1.59.117 1.60.88
image image

@btlechowski
Copy link

Verified with

Brave 1.60.102 Chromium: 118.0.5993.96 (Official Build) beta (64-bit)
Revision 3598a9fc6b7752181feb25caa131bc386d6d054c
OS Linux

Encountered #33524 when using dark theme, so used light theme to verify this issue.

Scenario 1:

Verified test plan from brave/brave-core#20062 (comment).
Confirmed webtorrent: is the prefix for the URL when loading a .torrent file.
Confirmed magnet: is the prefix for the URL when loading a .magnet file per comments below.

Torrent Magnet
image image

Scenario 2:
Verified test plan from #32856 (comment).
Reproduced the issue with 1.58.137.
Confirmed webtorrent: was prefix in URL when using STR and 1.60.x

1.58.137 1.60.x
image image

@LaurenWags LaurenWags mentioned this issue Nov 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fallaciousreasoning fallaciousreasoning

Labels
OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Test-Plan-Specified QA/Yes release-notes/include security
Projects
None yet
Milestone
1.60.x - Release
Development

Successfully merging a pull request may close this issue.

Prefix url with webtorrent: to make it more obvious the origin is different brave/brave-core
6 participants
@diracdeltas @fallaciousreasoning @LaurenWags @btlechowski @brave-builds @MadhaviSeelam