New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 594057 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Mar 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

HTTP(S) URL spoof in address bar

Reported by fir...@gmail.com, Mar 11 2016

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Steps to reproduce the problem:
Follow link in testcase file for a simple demo.

In a nutshell, a combination of data URI, Unicode characters and frames. 

Spoof is not perfect but good enough to easily fool your mom and dad.  At least it worked with mine :)

What is the expected behavior?
At the very least misleading Unicode whitespace characters should be escaped and/or a big warning should be displayed.

What went wrong?
Browser navigates to arbitrary website but URL bar shows https://secure.paypal.com/ 

Did this work before? N/A 

Chrome version: 49.0.2623.87  Channel: stable
OS Version: 6.3
Flash Version: Shockwave Flash 21.0 r0
 
chr_url_spoof_poc.html
723 bytes View Download
Cc: palmer@chromium.org f...@chromium.org
Status: WontFix (was: Unconfirmed)
This is not a convincing spoof. There is no lock icon and clearly it shows a data: url. Closing.

+cc Adrienne, Chris too in case they think differently here.

Comment 2 by fir...@gmail.com, Mar 11 2016

Keep in mind what may not be a convincing spoof to you might well be to many non-tech users.

The point is, the only URL shown in the address bar is clearly recognizable, separated from the "data:" bit by (fake) whitespace and does not match the website being loaded. 

Why are those Unicode space-like characters not escaped? 

I do agree about the lack of a lock symbol. For that reason, spoofing a regular HTTP URL would probably work better. 


Comment 3 by palmer@chromium.org, Mar 11 2016

Yeah, this does not meet my bar for a spoof; it's not better than what's already available (e.g. a homograph attack, or even just paypaI.com).

However, there is another bug here: when you click on the Blank Page Icon to bring up the Origin Info Bubble, the data: URI is too long and makes the bubble look weird. We should fix that. I'll file a new bug for it.

Comment 5 by mea...@chromium.org, Apr 21 2016

Labels: -Restrict-View-SecurityTeam
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment