New issue
Advanced search Search tips

Issue 670265 link

Starred by 5 users
Status: WontFix
Owner:
tkent@chromium.org
Closed: Dec 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: URL Spoof using Select areas

Reported by habte.yi...@gmail.com, Dec 1 2016 
Hello,

I don't know if you classify URL spoofing bugs security, but I think I saw bounties and CVEs being issued for them. 

VULNERABILITY DETAILS

basically, this is a URL spoof using <select> fields, for some weird reason they can get out of the window up until the url bar. this makes it possible to spoof urls by using vaiour css/js techniques.

VERSION
Chrome Version: All
Operating System: Win 7, 8, 10

REPRODUCTION CASE
here is an unlisted POC: https://www.youtube.com/watch?v=5Yk2mQJ9MwM&feature=youtu.be (reporodcution files attached) - obviously a lot cleaner and real looking poc can be made, but I think you got the idea.

Thanks,
Paulos
poc.7z
552 bytes Download

Comment 1 by och...@chromium.org, Dec 1 2016

Components: Blink>Forms>Select
Labels: Security_Severity-Low Security_Impact-Stable
Owner: dtapu...@chromium.org
Status: Assigned (was: Unconfirmed)
dtapuska, could you please take a look? Looks similar to  bug 565760 . I couldn't repro this with the repro provided, but I'm assuming this impacts stable if it's legit.

Comment 2 by och...@chromium.org, Dec 1 2016

Labels: OS-All

Comment 3 by dtapu...@chromium.org, Dec 1 2016

Owner: tkent@chromium.org
Sending over to tkent@ as he fixed the viewport clipping issue in 565760

Comment 4 by tkent@chromium.org, Dec 1 2016

Status: WontFix (was: Assigned)
We know this behavior, and this works as intended.

I don't think this behavior has security risk.
- It's impossible for SELECT popups to emulate the appearance of the URL bar.
  - It's impossible to remove SELECT popup border.
  - It's impossible to change delimiter style in SELECT popups.
- Even if a user trusts the spoofed URL, a malicious site can do almost nothing while a SELECT popup is opening.
  For example, if a malicious site shows amazon.com in the URL bar, the site can't show amazon.com-like content because it makes SELECT popup more visible. Also, a SELECT popup is closed when a user interacts with the site.

Comment 5 by habte.yi...@gmail.com, Dec 2 2016 

Hey tkent@, "It's impossible for SELECT popups to emulate the appearance of the URL bar." - what I did was put url on first option and ¯¯¯¯¯ on second so when selected it looks like the emulated bar. 

Also note, this does NOT work in other browsers. take CVE-2016-9076 (recently fixed in Firefox that does & use the same technique provided)

Please revisit the WontFix. :)

Thanks,
Project Member

Comment 6 by sheriffbot@chromium.org, Mar 10 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by palmer@chromium.org, Apr 20 2017 

 Issue 713032  has been merged into this issue.

Comment 8 by palmer@chromium.org, Apr 28 2017 

 Issue 716452  has been merged into this issue.

Sign in to add a comment