New issue
Advanced search Search tips

Issue 650106 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome URL And Javascript Prompt Origin Spoof Vulnerability

Reported by carecybe...@gmail.com, Sep 25 2016 
Description
A domain with a port number in the Safari browser, if the colon (:) behind is the non digital, displayed the colon (:) before the domain name in the address bar , the default page rendering can be blank and be changed arbitrarily. The attacker can carefully construct a malicious phishing page, forged any domain in the address bar, and change the content of the page. In Iphone/Ipad, JavaScript create alerts and warnings of the source is forged, and the HTTPS in the address bar will be with a small lock icon, which makes users believe that the current domain is more credible.

Steps to reproduce
Just copy and save the below code as URL.html or anything with html extension.

<a href="https://www.gmail.com:443." target="aa" onclick="setTimeout('fake()',100)"><h1>click me</h1></a> <script> function fake() { var t = window.open('javascript:alert(1)','aa'); t.document.body.innerHTML = '<title>Gmail</title><H1>Fake Page!!!--hack by Vivek</H1>'; } </script>

Open the saved URL.html on browser, and click on "click me" link. A pop-up shows on a new window, showing the origin spoof vulnerability.

I have tested this on Chrome 53 of Android running lollipop version.
2016_09_26_02_00_07_02_08_34.gif
227 KB View Download

Comment 1 by elawrence@chromium.org, Sep 26 2016

Labels: OS-Android
The GIF animation does not appear to show the attack described.

Comment 2 by carecybe...@gmail.com, Sep 26 2016 

I have saved the file with gf.html and open that on browser. After click on the click me link.

Comment 3 by carecybe...@gmail.com, Sep 26 2016

2016_09_26_06_25_00.mp4
7.9 MB View Download

Comment 4 by elawrence@chromium.org, Sep 26 2016

Labels: Needs-Feedback
The mp4 video in #3 shows a page whereby the page URL is shown as about:blank and a JavaScript alert dialog is shown. Subsequently, text is written to the about:blank markup.

That is working as intended; any page can open about:blank and then document.write anything it likes into the page.

Do you have a different version of this attack where the URL shown by the browser is something misleading, e.g. Google.com?

Comment 5 by kenrb@chromium.org, Oct 3 2016

Status: WontFix (was: Unconfirmed)
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 9 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment