Issue metadata
Sign in to add a comment
|
Security: Premium SMS subscription by visiting certain sites in Chrome on Android
Reported by
gabrielg...@gmail.com,
Mar 2 2017
|
||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home /chromium-security/security-faq Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Please provide a brief explanation of the security issue. >>Hi guys, I want to share with you some of the most annoying and strange thing that never happens to me. As usually, i was browsing the internet with my huawei Mate 9 and i entered a website. Then suddenly an ad apear i push the "close" button and after that, i was subscribed to a pay service! Ok, i go to the SMS, and go to the desuscription, and inmediatly call to my carrier to tell the problem and block "Pay with my phone contract" ( may vary in your contry, mine is spain) The agent say me that is a commom new way of procedure in this cases and is being big. Malicious AD page:iknowwhatyoudownload.com => track.redirect.rocks => go.redirectvoluum.com Then, my main thing is: HOW can an updated chrome for android without the SMS permissions ( i check it) send it a SMS OR, how can chrome, share my number to a third party page/app without comunicate it to the user. I think that is an important issue for all who browse the internet with his mobile phone. VERSION Chrome Version: Android last version Operating System: Android 7.0, Patch 1 january 2007 REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. >>Enter to the page, and if the AD is displayed, you will be subscrive and recibe a notification. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace, registers, exception record] Client ID (if relevant): [see link above]
,
Mar 2 2017
pstanton@, zbutler@: Do you mind taking a look? It seems like some of these sites should be on the blacklist. mjcastner@ - FYI Feel free to pass it back to me if the volume is low or there's no evidence.
,
Mar 2 2017
,
Mar 3 2017
,
Mar 3 2017
Thanks for reporting the issue. I'm so sorry that this happened to you. Unfortunately, we do not have a public policy against this currently so I am going to have to mark this as WontFix. We will continue to monitor the complaints for this behavior and act accordingly.
,
Jun 10 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by gabrielg...@gmail.com
, Mar 2 201792.4 KB
92.4 KB View Download