Issue 656385 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Oct 2016
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug

Security: Unvalidated / Open Redirect in Google Chrome, Chrome OS

Reported by hussaina...@gmail.com, Oct 15 2016

Issue description

Hi,

I would like to report about Open Redirect in Google Chrome  / Desktop / OS 

I've just discovered in my browser version 54.0.2840.59 .

if attacker put site https after @ victim redirect to site https also with http .

I try this with https://facebook.com/ and  https://gmail.com/ 

POC 

https://www.facebook.com@google.com / https://gmail.com@evil.com


Regards
Hussain

Comment 1 by mmoroz@chromium.org, Oct 17 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: WontFix (was: Unconfirmed)

1. This is not "Unvalidated / Open Redirect". Please see: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

2. This is not a bug or a trick. This is a part of RFC 1738 (https://www.ietf.org/rfc/rfc1738.txt).

►

Issue 656385 link

Issue metadata

Security: Unvalidated / Open Redirect in Google Chrome, Chrome OS

Issue description

Comment 1 by mmoroz@chromium.org, Oct 17 2016

Comment 1 Deleted

Sign in to add a comment