Issue metadata
Sign in to add a comment
|
Address Bar Spoofing Chromium Browser Linux.
Reported by
mishra.d...@gmail.com,
Nov 12 2016
|
||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 Steps to reproduce the problem: Please find the attachment. 1. Open Spoof.html 2. Hit Go. 3. The Address Bar gets spoofed. What is the expected behavior? What went wrong? Or Please visit : http://hackies.in/spoof.html Thank You. Did this work before? N/A Chrome version: 53.0.2785.143 (Developer Build) Built on Ubuntu , running on Ubuntu 16.04 (64-bit) Channel: n/a OS Version: 53.0.2785.143 Flash Version: Shockwave Flash 11.2 r202
,
Nov 14 2016
Just reading the attached repro files, it looks like it will flood the browser process with navigations, which will make the page indeed be unresponsive. The eventually going blank is when the paint IPCs are processed after all of the navigation IPCs in the queue before the paint ones are processed. Assigning to creis@ for now, since I won't be able to look at it in depth for a couple of days.
,
Nov 15 2016
I think this boils down to issue 497588 , where a tab becomes unresponsive immediately after committing a new navigation. That's a fairly low severity spoof because the user can't interact with it, and kenrb@ implemented a mitigation where it goes blank after 2 seconds. In my attempts to repro, the page always goes blank after a short delay, both on Linux and Windows. I'm sure that it's possible to tweak the parameters to DoS the browser and delay the blank paint, but that's fragile and is unlikely to work well across machines. It also boils down to IPC DoS in general (which is issue 394296 ). I don't think there's much else to do here. Ken, do you see anything else we should change or tweak here, or should this be a duplicate of issue 497588 ? (Is there some way that this page could deterministically break the paint timer that we should look into?)
,
Nov 15 2016
The timer is actually set to 4 seconds. Locally, the spoofed content doesn't display for longer than that, which would be working as intended. Has anybody been able to make it display for longer than that? For the record, the opinion on security risk was that a page could contain instructions to do something like call a phone number, and a spoofed URL above it could give it unwarranted credibility. A relatively short threshold seemed like it would mitigate this risk, so you would need the content displayed for a significant amount of time underneath the spoofed URL.
,
Nov 15 2016
Yes by changing the setTimeout() or the timer value will make the fake page stable and longer. Thank you
,
Nov 16 2016
Hi , However i would like to add few more points the above bug works in Android OS i.e Chrome, Dev , Beta , Canary as well. Just replacing location parameter to http://m.facebook.com/index.php w.location.replace('http://www.m.facebook.com/index.php?'+n);n++; Some Attachment for reference. Thank you
,
Dec 9 2016
Dear Team , Any updates on the above issue , please let me know. Thank you
,
Mar 28 2017
This looks exactly like bug 648117 , neither of which repro after https://codereview.chromium.org/2702433002.
,
Jul 5 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by rickyz@chromium.org
, Nov 14 2016Labels: Security_Severity-Low Security_Impact-Stable
Owner: nasko@chromium.org
Status: Assigned (was: Unconfirmed)