New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 696276 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Feb 2017
Cc:
joh...@chromium.org
miguelg@chromium.org
est...@chromium.org
nparker@chromium.org
peter@chromium.org
f...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Notifications can contain misleading content

Reported by mishra.d...@gmail.com, Feb 26 2017 
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0

Steps to reproduce the problem:
In the notification dialog, no originates hints and warnings.The attacker can then display a malicious notification dialog to the user that seemingly originates from the trusted site. Typically this notification dialog would mimic the legitimate site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site.

What is the expected behavior?

What went wrong?
The notification comes exact at google.com which spoof an interface of a trusted web site.
Didn't worked in Chrome for Android

Demo URL : hackies.in/nof.html

Did this work before? N/A 

Chrome version: 7.0.2987.54 beta (64-bit)  Channel: beta
OS Version: 7.0.2987.54 beta (64-bit)
Flash Version: Shockwave Flash 24.0 r0
nof.html
829 bytes View Download

Comment 1 by elawrence@chromium.org, Feb 26 2017

Components: UI>Notifications
Summary: Notifications can contain misleading content (was: Notification Spoofing.)
The complaint here is that Notifications can appear out-of-context and contain misleading information that could appear to suggest that they are triggered by the currently active page.
Screen Shot 2017-02-26 at 8.03.10 AM.png
68.3 KB View Download

Comment 2 by kerrnel@chromium.org, Feb 26 2017

Cc: f...@chromium.org est...@chromium.org
felt@, can any of our security UI experts comment on what the severity of this bug is for our users?

Comment 3 by peter@chromium.org, Feb 27 2017

Cc: miguelg@chromium.org peter@chromium.org
Labels: OS-Chrome OS-Mac OS-Windows
+miguelg

The first, bold line in that notification clearly shows the origin. (In this case I think it might be slightly clearer if it included "https://".)

However, Eric enabled the system notifications. Chrome's own notifications show the origin at the bottom of the notification, in a lighter grey colour.

https://www.wonderpush.com/img/global/webpush_desktop_mobile.png

Comment 4 by est...@chromium.org, Feb 27 2017

Cc: nparker@chromium.org
Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
+nparker for spoofing

I'm going to tentatively WontFix this. The origin is shown clearly in all cases, though it could be made more noticeable.

The notification image makes this attack a bit more convincing, but IIRC we decided that we were okay with this risk unless we see it being widely abused. Is that correct, nparker?

Comment 5 by nparker@chromium.org, Mar 2 2017

Cc: joh...@chromium.org
For Notification Images, we will send a sample of them to Safe Browsing and can blacklist sites based on those (after the fact).  That was intended just for Android though, since on desktop the spoof was less convincing.

I think the desktop UI showing the origin is sufficient here.

Sign in to add a comment