New issue
Advanced search Search tips

Issue 680860 link

Starred by 1 user
Status: Duplicate
Merged: issue 626951
Owner: ----
Closed: Jan 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: URI Obfuscation via UserInfo

Reported by ali.wami...@gmail.com, Jan 13 2017 
Summary:

Typically, when obfuscating a URL, you must trick someone into viewing a website they did not want to view by tempting them with something they are familiar with.

Products affected:

Latest Version of OPERAin Windows

Steps To Reproduce:

We can trick someone into viewing it like this:

http://example.com@sample.com

This will make the user think they are going to go to example.com, when really they are going to sample.com.

Live POC:  https://bugs.chromium.org@facebook.com/ 
They thought they will be redirect to https://bugs.chromium but the page displays facebook.com
I attached a picture and make sure to focus your eyes in the URL Address.

Thanks 

Wamim

Comment 1 by elawrence@chromium.org, Jan 13 2017

Labels: -Restrict-View-SecurityTeam
Mergedinto: 626951
Status: Duplicate (was: Unconfirmed)
Summary: Security: URI Obfuscation via UserInfo (was: Security: URI Obfuscation)
Chrome's support for userinfo components in URLs is working as expected.

https://www.chromium.org/Home/chromium-security/security-faq#TOC-Is-Chrome-s-support-for-userinfo-in-HTTP-URLs-e.g.-http:-user:password-example.com-considered-a-vulnerability-

Q: Is Chrome's support for userinfo in HTTP URLs (e.g. http://user:password@example.com) considered a vulnerability?
A: Not at this time. Chrome supports HTTP and HTTPS URIs with username and password information embedded within them for compatibility with sites that require this feature. Notably, Chrome will suppress display of the username and password information after navigation in the URL box to limit the effectiveness of spoofing attacks that may try to mislead the user. For instance, navigating to http://trustedsite.com@evil.example.com will show an address of http://evil.example.com after the page loads.
Project Member

Comment 2 by sheriffbot@chromium.org, Apr 22 2017

Labels: allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment