This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:


VULNERABILITY DETAILS
A page set up to steal Google account details can exploit the address bar. I was reading an article (on my desktop PC using Chrome) about a previous vulnerability in stock Android browsers and there was a link to test it out. I clicked it, and it redirected me to the "blank:tab" screen. There was a log-in identical to the one for GMail. When you enter the details it redirects you to the site "attacker.com".

VERSION
Chrome Version: [50.0.2661.102] + [stable]
Operating System: [Windows 7, Service Pack 1]

REPRODUCTION CASE
1. Go to: http://jsfiddle.net/dy4swq4o/show/
2. Click "Click here to be redirected."
3. Note how the page appears to be located at "blank:tab"
4. Enter anything in the email or password slot.
5. You should be taken to "attacker.com"

The code for the page is here: http://jsfiddle.net/dy4swq4o

The original blog article I mentioned above is here: http://www.rafayhackingarticles.net/2015/05/android-browser-address-bar-spoofing-vulnerability.html

Although many computer users will notice this, I'm sure people could take advantage of this and target users not experienced with computers or Google Chrome.

In case my e-mail is not included, it is max.goracy@gmail.com