New issue
Advanced search Search tips

Issue 656248 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Status Bar Obfuscation

Reported by elamaran...@gmail.com, Oct 15 2016 
Steps To Reproduce:

   1)  Open the HTML file (test.html)
   2)  You will see a hyperlink of google.com, So hover your mouse.
   3) See the Status Bar(located at the lower left of the browser) and you will see the link where it should be redirected
   4)  Now, click the hyperlink and you will be redirected to another website which is not the expected website.
test.html
219 bytes View Download

Comment 1 by mmoroz@chromium.org, Oct 15 2016

Labels: Needs-Feedback
Can you explain security impact of this?

Comment 2 by elamaran...@gmail.com, Oct 15 2016 

Thanks for the reply ! Victim will be redirected to attacker's website "xyz.com" instead of the expected website "www.google.com" in hyperlink

Comment 3 by elamaran...@gmail.com, Oct 15 2016 

Though the status bar shows that the destination link is "www.google.com" but the victim to attacker's website !

Comment 4 by elamaran...@gmail.com, Oct 15 2016 

POC screenshot attached for reference !
chrome.png
138 KB View Download

Comment 5 by mbarbe...@chromium.org, Oct 15 2016

Labels: -Restrict-View-SecurityTeam -Needs-Feedback
Status: WontFix (was: Unconfirmed)
The status bubble is not considered a security indicator. See https://www.chromium.org/user-experience/status-bubble#TOC-Lack-of-Security for more information.

Comment 6 by elamaran...@gmail.com, Oct 15 2016 

Thanks for the update ! I think you misunderstood the problem ! Actual problem is : User got redirected to unintended website instead of expected website !This is not related to status bubble !

Comment 7 by mea...@chromium.org, Nov 21 2016 

 Issue 667100  has been merged into this issue.

Sign in to add a comment