New issue
Advanced search Search tips

Issue 601219 link

Starred by 1 user
Status: Duplicate
Merged: issue 92061
Owner: ----
Closed: Apr 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome follows URIs with user information without presenting warning to user

Reported by ahoerne...@netflix.com, Apr 6 2016 

VULNERABILITY DETAILS

Chrome follows URIs containing user information to sites that do not user authentication without providing a warning to the user. This can allow crafting phishing/malicious links that appear legitimate (depending upon the application rendering the link, i.e. chat clients, email clients, etc.) and can facilitate attacks against Chrome users by obfuscating the actual destination of a given link.


VERSION
Chrome Version: [49.0.2623.110] + stable
Operating System: OS X 10.11.3

REPRODUCTION CASE
Below is a sample HTML file that shows how, even though the URLs appear to point to www.netflix.com and Google respectively, you are actually directed to other domains. 

Note: When rolling over the link in Chrome, the domain is rendered in the status bar in a way that indicates the actual (potentially malicious) destination domain. However, links are often followed from other applications (such as chat clients) and these do not universally render the links in the way same.

<html>
<head></head>
<body>
  <a href="http://www.netflix.com@www.cnn.com">Not Netflix</a></br>
  <a href="https://www.google.com@www.bing.com">Not Google</a></br>
</body>
</html>


ATTACHMENTS

See attached screenshots that demonstrate how Firefox and Safari warn users for these types of links.
Screen Shot 2016-04-06 at 3.06.26 PM.png
84.3 KB View Download
Screen Shot 2016-04-06 at 3.06.32 PM.png
103 KB View Download

Comment 1 by kenrb@chromium.org, Apr 7 2016

Mergedinto: 92061
Status: Duplicate (was: Unconfirmed)
Thanks for the report.

Unfortunately this isn't a generally solvable problem, there are too many effective ways to deceive users with the link displayed in the status bar, and many of them more convincing than this. For instance, a Javascript event handler can modify the target of a link at the moment a user clicks it. As a result we cannot consider the status bar text to be a security indicator and we recommend that users check the domain in the URL bar after a navigation to know whether they are on the correct site or not.
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 15 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment