New issue
Advanced search Search tips

Issue 664028 link

Starred by 2 users
Status: Duplicate
Merged: issue 626951
Owner: ----
Closed: Nov 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome takes directly to a malicious website if the mail url is appended with an '@' followed by the malicious link

Reported by subodh.p...@gmail.com, Nov 10 2016 
VULNERABILITY DETAILS

Hi, if you send a link to a victim like https://gmail.com@maliciouswebsite.com, the chrome browser will directly take him to the maliciouswebsite.com without giving any warning.

VERSION
Chrome Version: [54.0.2840.71 m][stable]
Operating System: [Win 7 Professional Service Pack 1]

REPRODUCTION CASE
Open the URL https://gmail.com@twitter.com.
Observe that you are taken directly to twitter website without issuing any warning of a possible phishing attempt.
In browsers like firefox you can see a warning message if you open up a URL crafted like this.
firefox_warning.JPG
64.6 KB View Download

Comment 1 by rickyz@chromium.org, Nov 10 2016

Mergedinto: 626951
Status: Duplicate (was: Unconfirmed)
Hi, this is intentional - we consider this OK since we always display the correct URL in the URL bar, and that is the only source of truth for which origin you are on.

Comment 2 by rickyz@chromium.org, Nov 10 2016

Labels: -Restrict-View-SecurityTeam
Project Member

Comment 3 by sheriffbot@chromium.org, Feb 17 2017

Labels: allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment