New issue
Advanced search Search tips

Issue 680807 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jan 2017
Cc:
elawrence@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Bug-Security



Sign in to add a comment

about:blank tabs can contain attacker controlled HTML

Reported by othm4n3....@gmail.com, Jan 13 2017 
Steps to reproduce the problem:
1. Visit the POC HTML code - in my case it's an internal IP ( 192.168.1.3/brave.html - http://i.imgur.com/z14LN3W.jpg )
2. click on " Spoof it "
3. Pop-up contains about:blank in the address bar while the content isn't the about:blank page content - http://i.imgur.com/pt70aVG.jpg

What is the expected behavior?
about:blank page with a malicious page that could be containing any type of malwares, phishing pages and scams ...etc.

What went wrong?
If an attacker successfully exploited this vulnerability, victim's will not recognize the difference between the real webpage and malicious webpage since the "about:blank" page is a trusted address that is provided by Google Chrome browser, and as I mentioned, this behavior could lead to Phishing, Malware executing, Scamming, Cross-site Forgery Attacks, Cross-site Scripting, and too many other attacks could be executed. 

Did this work before? N/A 

Chrome version: 55.0.2883.87  Channel: stable
OS Version: 
Flash Version: 

I attached brave.html that was used in reproducing steps, it can be hosted anywhere to execute it.

Thanks.

Othmane Tamagart
brave.html
322 bytes View Download

Comment 1 by othm4n3....@gmail.com, Jan 13 2017 

Android Device information : http://i.imgur.com/hODaBif.jpg

Google Chrome Version : 55.0.2883.91

Comment 2 by elawrence@chromium.org, Jan 13 2017

Summary: about:blank tabs can contain attacker controlled HTML (was: Address Bar Spoofing to about:blank on Google chrome for Android)
Support for writing arbitrary content into about:blank documents is a core part of the web platform, across all versions of the browser. 

There's been some discussion of showing something other than about:blank in the omnibox to more clearly convey the security owner of the markup; see the doc in Comment 26 of  Issue 594215  (https://bugs.chromium.org/p/chromium/issues/detail?id=594215#c26)

Comment 3 by kerrnel@chromium.org, Jan 17 2017

Cc: elawrence@chromium.org
elawrence@, does tht make this a WontFix?

Comment 4 by infe...@chromium.org, Jan 17 2017

Status: WontFix (was: Unconfirmed)
with about:blank in url, this is not a security vulnerability or phishing in any way. But as per c#2, it is better to show the real owner of the markup instead of about:blank.

Comment 5 by othm4n3....@gmail.com, Jan 17 2017 

" If an attacker successfully exploited this vulnerability, victim's will not recognize the difference between the real webpage and malicious webpage since the "about:blank" page is a trusted address that is provided by Google Chrome browser. "

That's what i exactly mentioned here.

Thanks.

Comment 6 by mea...@chromium.org, Jan 17 2017

Labels: -Restrict-View-SecurityTeam allpublic
@othm4n3.tamagart: As comment #2 pointed, we are aware of the issue and are looking into options. See bug 537452 as an alternative.

Comment 7 by mea...@chromium.org, Jan 17 2017 

Sorry, wrong bug. Please see bug 466422.

Sign in to add a comment