New issue
Advanced search Search tips

Issue 658751 link

Starred by 2 users
Status: Duplicate
Merged: issue 658139
Owner: ----
Closed: Oct 2016
Cc:
elawrence@chromium.org
emilyschechter@chromium.org
nparker@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: URI Obfuscation via userinfo component

Reported by craxerbi...@gmail.com, Oct 24 2016 
Typically, when obfuscating a URL, you must trick someone into viewing a website they did not want to view by tempting them with something they are familiar with.

Products affected:

Latest Version of Google chrome android

Steps To Reproduce:

We can trick someone into viewing it like this:
http://example.com@sample.com
This will make the user think they are going to go to example.com, when really they are going to sample.com.

Live POC:
https://google.com@gmail.com

They thought they will be redirect to google.com but the page displays gmail.com

Comment 1 by elawrence@chromium.org, Oct 24 2016

Labels: -Restrict-View-SecurityTeam
Mergedinto: 658139
Status: Duplicate (was: Unconfirmed)
Summary: Security: URI Obfuscation via userinfo component (was: Security: URI Obfuscation)
Acceptance of (non-standards-based) userinfo in HTTP(S) URLs is "Working-as-intended" behavior. The browser omnibox hides the userinfo component as a measure to mitigate spoofing attacks.

Comment 2 by elawrence@chromium.org, Oct 24 2016

Cc: emilyschechter@chromium.org nparker@chromium.org elawrence@chromium.org
 Issue 658600  has been merged into this issue.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 31 2017

Labels: allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment