Issue metadata
Sign in to add a comment
|
Security: Chrome Address Bar URL spoofing and Download spoofing
Reported by
gnehs...@gmail.com,
Nov 3 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS when navigating to a URL with a 204 response or download file, chrome does not change the URL of the address bar and the current page will stop loading. VERSION Chrome Version: 54.0.2840.90 (64-bit) stable Operating System: Ubuntu 16.04.1 LTS REPRODUCTION CASE Address Bar URL spoofing 1.click the link, open a window and navigate to the URL that contains anything we want to display. 2.navigate the window to www.amazon.com, once the address bar changes navigate to the URL with the 204 response. Download spoofing 1.click the download link, open a window and navigate to the download page. 2.when the download page loads completely, navigate to the fake download URL. 3.the download dialog box for the fake download file is pop-up, and the real download file will be intercepted by the chrome, see download_spoofing-2.jpg.
,
Nov 4 2016
jialiul -- can you triage this? thx.
,
Nov 4 2016
The download spoofing part is a duplicate of issue 649208 . Not sure about the URL spoofing part. It feels WAI for me, but maybe we should do better in handling 204 response. I'm not an expert on this.
,
Nov 4 2016
I understand, their underlying issue is the same: current navigation handler does not have the true initiator information if frame/tab target each other. We're working on it.
,
Nov 7 2016
I'm not able to reproduce the URL spoofing. When I click the amazon link, it loads amazon.com with the proper title/url. This is on 54.0.2840.90 linux.
,
Feb 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 Deleted