Issue metadata
Sign in to add a comment
|
Clickjacking or URL masking.
Reported by
mishra.d...@gmail.com,
Feb 7 2017
|
||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Steps to reproduce the problem: Steps to reproduce : 1. Open click.html 2. Then try to visit google.com OR http://hackies.in/click.html Visually the browser says you(user) will be visiting google.com but it actually goes to datarift.blogspot.in An attacker may craft the link and may perform phishing attack or spoofing and etc. In case if the repro doesn't works please perform the testcase 1 more time. What is the expected behavior? What went wrong? Just do a mouseover on the link and see left bottom the URL says the browser will be visiting google.com but actually goes to datarift.blogspot.in Attaching the test case and the click.html file and Video POC for reference. Did this work before? N/A Chrome version: 56.0.2924.87 (Official Build) (64-bit) Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 24.0 r0
,
Feb 7 2017
This does not represent a security vulnerability in Chrome. A webpage with permission to run JavaScript can navigate the user to any other site by setting the document.location property. This is an inherent feature of the web platform. While I wasn't able to reproduce any sort of spoofing of the Status Bubble at the bottom left of the window with your repro page, such spoofing is easily possible and does not represent a security vulnerability in Chrome. The Status Bubble is a user-aid only and it is not a security feature. |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by mishra.d...@gmail.com
, Feb 7 2017943 bytes
943 bytes View Download