Issue metadata
Sign in to add a comment
|
Spoofing via overlaid windows and form validation bubbles
Reported by
jm.acun...@gmail.com,
Apr 5 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce the problem: Observing the bug with id 673163 (https://bugs.chromium.org/p/chromium/issues/detail?id=673163) I wanted to go a little deeper. 1- With IE11 the spoof is total, pity that Microsoft has closed the rewards program for this browser. Example: http://createcharts.esy.es/bubbles-spoof-ie11.html 2- In Google Chrome Version 57.0.2987.133, you can also fool a user. In this case, it is about opening a window and minimizing it (only the web address is shown). I then replace the contents of the main page with the one of the open window. Example: http://createcharts.esy.es/bubbles-spoof.html 3- Mozilla Firefox in its latest version, has resolved this bug by putting the focus in the window that validates the form. What is the expected behavior? What went wrong? Content spoofing on any website Did this work before? N/A Chrome version: 57.0.2987.133 Channel: stable OS Version: 6.3 Flash Version:
,
Apr 5 2017
This doesn't seem to repro in Chrome 59; the window that shows the validation bubble indeed gets focus each time the bubble is shown. Having said that, it's not really clear to me how the form validation bubble itself is the interesting part of this attack ... The HTML markup in the createhart.esy.es page (which pretends to be a Google doc) could easily paint any warnings it wants without using notifications at all. The "spoof" here is that the user could be confused by the contents of the short window's omnibox that is position over top of the background window's omnibox.
,
Apr 6 2017
I think my approach is correct. And what is exposed in Comment 3 is also. I can think of several scenarios: - Show a page similar to the google store (https://store.google.com) - When you click on an item, the user is redirected to a paypal page where the entry will be made to my account.
,
Apr 6 2017
Example with Paypal: http://createcharts.esy.es/bubbles-spoof-store.html For a few seconds you see the url of the domain http://createcharts.esy.es but it is very likely that the user does not perceive it. Also, if the network is very fast, it is hardly appreciated.
,
Apr 6 2017
Another argument: The user is convinced that the web page is legitimate so it will not re-watch the url of the toolbar.
,
Apr 6 2017
I believe the spoofing via overlaid windows attack is a variant of Issue 648350 . I think the spoofing via form validation bubbles (which didn't repro in Chrome 57) is a variant of Issue 673163 .
,
Apr 7 2017
I had a look at this on Windows 10. It's pretty imperfect: the pop up window isn't the same size as the window in the background, and the shadow makes it fairly obvious there's something else on top. It also doesn't sit flush. The spoofing relies on the browser window being maximised fully. I'm going to assign this a fairly low importance right now, and merge it into crbug.com/648350
,
Apr 7 2017
Since it is a low security bug, could they make it public?
,
Apr 10 2017
some inconvenience?
,
Apr 11 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jm.acun...@gmail.com
, Apr 5 20174.9 MB
4.9 MB View Download