New issue
Advanced search Search tips

Issue 658139 link

Starred by 4 users
Status: Duplicate
Merged: issue 626951
Owner: ----
Closed: Oct 2016
Cc:
elawrence@chromium.org
emilyschechter@chromium.org
nparker@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: Google Chrome Browser URI Obfuscation Vulnerability

Reported by mohdaqee...@gmail.com, Oct 21 2016 
VULNERABILITY DETAILS

It has been discovered that the Google Chrome browser is prone to a URI obfuscation vulnerability that make users access a spoof website rather than the intended destination.

The problem occurs when a Chrome user visits the user@host URI which is formatted in such a way that (http://www.good.com@evil.com/), 'user' part contains actual site location and 'host' part contains the deceptive site location, it will cause it to strip the 'user' part and load the 'host' part without any user confirmation/notification.

This could be used in conjunction with other browser vulnerabilities to trick a user into following a malicious link.

Note: Other browsers have already fixed this vulnerability. Find the proof of concept screenshot taken using Firefox. 

VERSION

Chrome Version: [Version 53.0.2785.143 m]
Operating System: [Windows 8.1]


REPRODUCTION CASE

Follow any of the below listed links and observe that you'll be redirected to the host part of URI without any confirmation/notification

[+] https://www.google.com@www.google.com.vulnerabilities.in

[+]https://console.developers.google.com@www.google.com.vulnerabilities.in

[+] http://www.google.com.about.appsecurity.chrome-rewards.index@www.google.com.vulnerabilities.in


REMEDIATION

Browser must stop the load and confirm with the user that they are really visiting the site they expected to visit when 'user@host' kind of URI's are used


Best Regards,
Mohd Aqeel Ahmed
Cyber Professional Security Researcher
chrome1.jpg
25.9 KB View Download

Comment 1 by elawrence@chromium.org, Oct 21 2016

Status: Untriaged (was: Unconfirmed)
Acceptance of (non-standards-based) userinfo in HTTP(S) URLs is "Working-as-intended" behavior. The browser omnibox hides the userinfo component as a measure to mitigate spoofing attacks.

The warning shown in Firefox is significantly less scary if the attacker simply responds with a HTTP/401 challenge on the target request.

Internet Explorer has not supported userinfo in HTTP(S) URLs since version 7; https://support.microsoft.com/en-us/kb/834489

Comment 2 by mbarbe...@chromium.org, Oct 22 2016

Components: Security>UX
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: WontFix (was: Untriaged)
I'm inclined to say this is working as intended, but adding Security>UX in case anyone disagrees.

Comment 3 by elawrence@chromium.org, Oct 24 2016 

 Issue 658602  has been merged into this issue.

Comment 4 by elawrence@chromium.org, Oct 24 2016 

 Issue 658751  has been merged into this issue.

Comment 5 by craxerbi...@gmail.com, Oct 24 2016 

https://m.youtube.com/watch?v=xAzeYINgUPM
Here is video which I made for poc

Comment 6 by elawrence@chromium.org, Oct 24 2016

Cc: emilyschechter@chromium.org nparker@chromium.org elawrence@chromium.org
 Issue 658600  has been merged into this issue.

Comment 7 by pkasting@chromium.org, Oct 24 2016

Mergedinto: 626951
Status: Duplicate (was: WontFix)

Comment 8 by lafo...@chromium.org, Dec 9 2016

Components: -Security>UX
Labels: Team-Security-UX
Security>UX component is deprecated in favor of the Team-Security-UX label

Sign in to add a comment