Issue 661602 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 594215
Owner:	----
Closed:	Nov 2016
Cc:	mea...@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: Misleading URL in Chrome via Command Injection

Reported by romain.e...@gmail.com, Nov 2 2016

Issue description

Hi, I'm sorry if this is not the right place to write this, or if this a concern that does not bother you.

VULNERABILITY DETAILS
A website contains obfuscated javascript that "hide" the correct display of the URL, with a command injection. It also includes blank spaces and hide the beginning of the URL. You can see it from yourself here :

WARNING : this website is a scam website.
[SCAM URL - replace x with t] hxxp://awog-berlin.de/https://mobile.free.fr/rembourssement [/SCAM URL]

VERSION
Chrome Version: All > 5
Operating System: All

REPRODUCTION CASE
See the pdf-free3.png file, or click the link above.

Best regards,
Romain ENOUF

romain.enouf@gmail.com - (+33) 6 86 65 81 14

	pdf-free3.png 88.5 KB View Download

Comment 1 by nparker@chromium.org, Nov 3 2016

Cc: mea...@chromium.org
Mergedinto: 594215
Status: Duplicate (was: Unconfirmed)

This is a common use of data:URL for phishing, and we're planning to dissallow navigations.

Project Member

Comment 2 by sheriffbot@chromium.org, Apr 22 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 661602 link

Issue metadata

Security: Misleading URL in Chrome via Command Injection

Issue description

Comment 1 by nparker@chromium.org, Nov 3 2016

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Apr 22 2017

Comment 2 Deleted

Sign in to add a comment