Issue metadata
Sign in to add a comment
|
Security: Chrome browser hacked
Reported by
ramamosk...@gmail.com,
Oct 4 2016
|
||||||||||||||||||
Issue descriptionFeel free to IM/email call me for more details. My Chrome browser seems to have been compromised by someone leveraging an otherwise valid cert for *.com.com. I use browser bookmarks to log in to my stock broker and all other value sites I use. Today that link (https://wwws.ameritrade.com/grid/p/site) resolved to a site that served up a valid (i.e. trusted by Chrome / MAC OS current) though the name did not match (*.com.com from a CA trusted by my Mac). regards, Ram PS hopefully it's just me - FWIW curl will not resolve that DNS name although it's been valid for a decade+ as a large brokerage now known as TDAMeritrade; DNS appears at first glance to still be registered to TDA. VULNERABILITY DETAILS DNS worked around and valid but wrong cert presented. VERSION Chrome Version: Current stable OSX: 10.11.6 (15G1004) REPRODUCTION CASE Visiting the URL by clicking the book mark or copy/pasting into address bar results in redirects to various icky looking commerce sites for a variety of goods (e.g. https://gen.xyz/register?aid=99999&domain=wwws.ameritrade.com)
,
Oct 4 2016
Thanks elawre, that's a very reasonable first theory. Note that on my same system neither Safari and Firefox are able to resolve DNS for the server in question and neither is curl. Attached find the net-log as requested.
,
Oct 4 2016
This is probably informative as well. Note that the DNS on this puppy is odd: > set q=soa > wwws.ameritrade.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: *** Can't find wwws.ameritrade.com: No answer Authoritative answers can be found from: com.com origin = ns-180.awsdns-22.com mail addr = awsdns-hostmaster.amazon.com serial = 1 refresh = 7200 retry = 900 expire = 1209600 minimum = 86400 > server ns-180.awsdns-22.com Default server: ns-180.awsdns-22.com Address: 205.251.192.180#53 > set q=a > wwws.ameritrade.com Server: ns-180.awsdns-22.com Address: 205.251.192.180#53 Name: wwws.ameritrade.com.com Address: 54.201.82.69 Name: wwws.ameritrade.com.com Address: 52.33.196.199 As you can see google DNS is indicating the SOA for wwws.ameritrade.com as what appears to be an Amazon DNS server. That server is returning an address ending in ".com.com" which is clearly *not* owned by TDAmeritrade. Note further that curl can't resolve wwws.ameritrade.com.
,
Oct 4 2016
Also note that the link you sent is for Windows but I'm on OS X per the Version info in the initial bug report.
,
Oct 4 2016
I think that would confirm the malware hypothesis, or a hostile network. 8.8.8.8 is giving me a NXDOMAIN for wwws.ameritrade.com. I don't think there is a chrome browser bug here given the above DNS.
,
Oct 4 2016
Interesting. I've tried each of the following third party recursive resolvers and they return A records: https://toolbox.googleapps.com/apps/dig/#A/ameritrade.com http://mxtoolbox.com/SuperTool.aspx?action=a%3aameritrade.com&run=toolpage https://www.ultratools.com/tools/dnsLookupResult http://ping.eu/nslookup/ So either all those tools are using a local to my host/network (i.e. browser calling my OS) resolver or something else is up. I'll dig (hah!) a bit more using some other boxes, you can leave this as closed/wontfix if you like. If I come back it will be with stronger data. thanks for your time ram
,
Oct 4 2016
Last piece of data. I tried a query against both 8.8.8.8 and an OpenDNS server, here are the results from my (sick) system: > server 208.67.222.222 #OpenDNS Default server: 208.67.222.222 Address: 208.67.222.222#53 > wwws.ameritrade.com. Server: 208.67.222.222 Address: 208.67.222.222#53 ** server can't find wwws.ameritrade.com.: NXDOMAIN > server 8.8.8.8 #Googel DNS Default server: 8.8.8.8 Address: 8.8.8.8#53 > wwws.ameritrade.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: wwws.ameritrade.com.com Address: 54.201.82.69 Name: wwws.ameritrade.com.com Address: 52.33.196.199 I also tried with 8.8.4.4 but that doesn't get trapped/spoofed. Looks like something on my machine is targeting DNS requests to 8.8.8.8 and stuffing responses that are bad for me. The certificate for *.com.com is being used to try to work around TLS though the name mismatch error will stop some (few?) users from reaching the bad destination. I'll wipe chrome off my system and hope that does the trick, if not I have to rebuild. As this affects only one system on my home network the problem is either with Chrome on that system (or an extension etc) or it is with the host OS itself. Either way I should be fine and I guess I'll read more about this when it is more widely deployed. thanks for your help Ram
,
Oct 4 2016
Close the ticket. Some more testing revealed that all user accounts on the machine were affected when using Chrome or /usr/bin/curl but not when using FF nor Safari - not sure what to make of that. Other systems on the network were not affected at all. Wiping system. thanks for your support. Ram
,
Jan 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 4 2016