New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 614661 link

Starred by 0 users
Status: Duplicate
Merged: issue 466009
Owner: ----
Closed: May 2016
Cc:
davidben@chromium.org
cbentzel@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: CSRF through Google Search Result

Reported by ziyahana...@gmail.com, May 25 2016 
Hi there;
A few days ago I realized a security issue in Chrome. It is that: as you know,  "Prefetch resources to load pages more quickly" setting comes enabled defaultly. In this case, the javascript code of the site seems on first order of the search result of Google runs automatically.

It can cause CSRF and unwilling download, even DDoS attacks as seen on the videos in attachment.

VULNERABILITY DETAILS
When "Prefetch resources to load pages more quickly" option is enabled, Javacript codes on the site seen on first order of search result run automatically. Google does it to load sites quickly, however some security issues arises from there. For example CSRF through Google, Unwilling File Download, or maybe some DoS attack using most wanted search keywords.

You know CSRF is also known as SEA Surf, in this scenario, we can call this vulnerability as SEO-SURF.

Image the possibilities:
A prepared a malicious site contains some harmful Javascript codes may lead users to trigger some CSRF vulns on other sites or make DoS request to other resources  or may cause some unwilling downloads

I configured the site for a most wanted search keywords.
When this keywords are queried, my site is shown on first order then these malicious codes will run.


VERSION
Chrome Version: 50.0.2661.102 m
Operating System: Windows 8.1 64Bit Single Language Pack

REPRODUCTION CASE
Firstly, I realized it, typing "superlogout" in Google search box. The site named www.superlogout.com was seen on first order of search result, then my all accounts were logged out. I amazed. After this, I tried another possibilities. I added some malicious codes into my friend`s site (www.emre-yilmaz.net and www.denizparlak.com).

When entrying some keywords brings my friends`s sites to first order in search result, malicious codes ran. By this way, a file (src.x - a bash script) downloaded in tmp folder and logout from account (Dropbox, Gmail, Amazon) done.

For fore detailed information please look files in attachment.
poc.gif
1.6 MB View Download
download_over_google.gif
1.2 MB View Download

Comment 1 by mea...@chromium.org, May 26 2016

Cc: cbentzel@chromium.org davidben@chromium.org
Components: Internals>Preload
Mergedinto: 466009
Status: Duplicate (was: Unconfirmed)
Hi and thanks for the report.

What you are reporting has been discussed at  bug 466009  before. Prerender indeed executes the fetched page, but from the perspective of the web security model this isn't much different than convincing the user to visit a specific URL. In both cases, there shouldn't be any harm in simply visiting a URL.

I'm merging this bug to  bug 466009 , but also CC'ing some folks just in case they want to chime in.
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 2 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment