New issue
Advanced search Search tips

Issue 656440 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

URI Obfuscation

Reported by sajibeka...@gmail.com, Oct 16 2016 
UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

Steps to reproduce the problem:
Steps To Reproduce:

We can trick someone into viewing it like this:

http://example.com@sample.com

This will make the user think they are going to go to example.com, when really they are going to sample.com.

Live POC:
https://chrome.com@secuna.ph/

They thought they will be redirect to chrome.com but the page displays secuna.ph

I attached a picture and make sure to focus your eyes in the URL Address.

What is the expected behavior?
none

What went wrong?
none

Did this work before? No 

Chrome version: 53.0.2785.143  Channel: n/a
OS Version: 8.1
Flash Version: Shockwave Flash 23.0 r0
chrome.PNG
902 KB View Download

Comment 1 by mmoroz@chromium.org, Oct 17 2016

Components: Security>UX
Status: WontFix (was: Unconfirmed)
Thanks for your report.

This is not a bug or a trick. This is a part of RFC 1738 (https://www.ietf.org/rfc/rfc1738.txt).

Since an ordinary user may not be familiar with those things, there is a color difference in the URL bar (please see your screenshot), that highlights the domain and makes authentication data less visible to prevent possible confusion.

Comment 2 by lafo...@chromium.org, Dec 9 2016

Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 24 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment