Issue metadata
Sign in to add a comment
|
Security URL Redirection bug
Reported by
tahir.vb...@gmail.com,
Sep 12 2016
|
||||||||||||||||||||||||
Issue descriptionChrome Version : 53.0.2785.101 (Official Build) m (32-bit) Revision : d68319683072a27031ebac6ac151e59f4190cab7-refs/branch-heads/2785@{#838} OS : Windows URLs : http://facebook.com@google.com Other browsers tested: Firefox (But Firefox and IE has High Security Against this Bug Please See proof in Screenshots) Add OK or FAIL, along with the version, after other browsers where you have tested this issue: Safari: Do not know Firefox: (Issue Fixed) IE: (Issue Fixed) What steps will reproduce the problem? (1)write http://facebook.com@google.com in address bar of Google Chrome (2)press Enter (3)You will be redirected to google.com without any warning(Firefox and IE gives Security warning) What is the expected result? There Should Be open mailto: protocol for URL containing @ sign. you can see that if we write this on chrome address bar: mailto:facebook.com@google.com then default mail client will appear and recipient will selected as facebook.com@google.com (Same This Should be for against this security issue or at least Give warning to user that they are redirecting to website after @ like firefox gives security warning) What happens instead? When We Open http://facebook.com@google.com then Redirection to website after @ occur so It can trick user to redirect from real website to phishing website and can allow attackers to steal creadet card info using special crafted URL By this vulnerability. Behavior of Internet Explorer and Firefox is attached . Thanks
,
Sep 12 2016
Triaging to navigation folks. This seems reasonable.
,
Sep 12 2016
I think this is a WontFix. http://facebook.com@google.com is of the form http://username:password@host.com, which is a valid way of specifying HTTP authentication. I would imagine that we need to load it as a URL to meet the spec. Firefox's warning seems like a heuristic for the case that the site doesn't expect HTTP authentication, to avoid confusing users who don't know about that type of URL. That could be a nice thing to have, though we're generally against modal dialogs and I'd be hesitant to use an interstitial page for this. palmer@, do you think it's worth changing anything here? (Note for the reporter: For reporting future security bugs, please follow these instructions to find the correct template: https://www.chromium.org/Home/chromium-security/reporting-security-bugs. In this case, though, it's not a security bug.)
,
Sep 13 2016
IE's behavior is just wrong. Firefox' behavior is, IMO, a bit unnecessarily naggy; given that we don't do dialogs like this, we'd use an interstitial or infobar, and I'm not convinced either are appropriate.
,
Sep 13 2016
going with http://username:password@site.com will not login you it is not a right behavior also mailto: dialog should appear
,
Sep 13 2016
http://username:password@site.com is a valid, well-formed URL using the username and password fields of the URL to do HTTP auth. It's not an email address. Showing a mailto prompt would be incorrect and your statement that this "will not login you [sic] it is not a right behavior" is also incorrect. For example: http://www.pagetutor.com/keeper/mystash/secretstuff.html [shows HTTP auth dialog] http://jimmy:page@www.pagetutor.com/keeper/mystash/secretstuff.html [logs in directly] |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by tahir.vb...@gmail.com
, Sep 12 2016