New issue
Advanced search Search tips

Issue 630700 link

Starred by 2 users
Status: Duplicate
Merged: issue 626951
Owner: ----
Closed: Jul 2016
Cc:
kerrnel@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Address bar Spoofing in Chrome ; Desktop + Mobile.

Reported by mishra.d...@gmail.com, Jul 22 2016 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0

Steps to reproduce the problem:

Hello ,

I am able to spoof or change the DNS my Nexus phone which have a default browser Chrome , I am able to spoof the whole DNS just by using @ in browser.

Example :
https://google.com@fb.com , this actually redirects to fb.com rather than going to google.
Just by using @ symbol , an attacker may spoof the address bar , Similarly if i change to any other domain like,
https://bing.com@yahoo.com , this will redirect to yahoo.com rather than bing.com.

Now this  thing can be perform in Chrome in any platform like Windows , Android , iOS ; Desktop + Mobile.
I have reported the bug to Android security team , they helped advice me to forwarded it to Chromium

Business Impact:
An attacker can send a URL containing payload which will redirect victim to the attacker’s controlled malicious website. The end user may be subjected to a phishing attack and as well as cookie stealing  by being redirected to an untrusted page. The later attack is more convincing than the traditional phishing attack because the generated URL will point to any website like example.com and not to look-alike domain name.

Please have a look on the attached POC down below , i have given my Phone's model number and steps for above scenario. 
I would be really happy to hear from the team.

Thank You 

What is the expected behavior?

What went wrong?
The '@' symbol allows user to redirect to any other or different website.

How it can be Exploited ?

An attacker can use BeeF Browser based exploitation using [hoook.js] to and may redirect it to the malicious website , where attacker is hosting hook.js by BeeF.
Ex: https://good-domain.com@attacker.com/hook.js  

Did this work before? N/A 

Chrome version: 51.0.2704.106  Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 22.0.0.192
POC.zip
402 KB Download

Comment 1 by kerrnel@chromium.org, Jul 22 2016

Components: UI>Browser>Omnibox
Owner: pkasting@chromium.org
I tried this, and I see the real URL of the website that I am redirected to in the address bar in the end. Would someone from Omnibox please verify if this works as intended?

Comment 2 by kerrnel@chromium.org, Jul 22 2016

Cc: kerrnel@chromium.org
Owner: ----
Status: WontFix (was: Unconfirmed)
I don't understand the attack here since there is no spoofing in the end: the correct URL shows up in the address bar. Also I don't see any hook.js attached, so I don't understand this.

If you feel there is a legitimate address bar spoof here, please re-open with additional information. Thank you.

Comment 3 by mishra.d...@gmail.com, Jul 23 2016 

Hello , let me clear it once.

Yes actual URL shows up in the Address bar , but the impact is it redirect to some where else.
Ex : https://bing.com@fb.com , this whole url will be shown to the user as well as in address bar , but as you press enter , it redirects to fb.com , rather than bing.com.

How it can be Exploited ?

An attacker can create any  domain Example [attacker.com] , in which attacker will run fake pages of any Portals like facebook.com which will have similar look like facebook , Bing , Oracle etc and can phish people.
Example : https://bing.com@attacker.com , where as attacker.com will be having fake or similar looking portals like facebook or etc , any person would click on that link because Bing suppose to be a Brand and well know Org , but it will facebook or some other pages like bing , and attacker will take advantage of it.

Another Way to Exploit ?

Yes ! there is a Browser based exploitation tool named as BeeF , which have a small entity hook.js inside BeeF , an attacker can use it to redirect to any malicious link such as , https://bing.com@attacker.com , simply with out any warning it will  redirect to attacker.com which is hosting [hook.js] which will give Reverse connection to the attacker , if needed please have a look on the video : https://www.youtube.com/watch?v=gFajWO1sK2k

I hope i have explained well , all i need is if any person is using '@' in address bar please give a pop-up.

Thank you , please let me know if any else info needed.

Comment 5 by mea...@chromium.org, Jul 25 2016

Mergedinto: 626951
Status: Duplicate (was: WontFix)
This issue has recently been discussed in  bug 626951 , please also see the explanations there.
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 29 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment