New issue
Advanced search Search tips

Issue 718896 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 571784
Owner: ----
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

'About:blank' Address Bar URI Spoofing

Reported by vladimir...@gmail.com, May 5 2017

Issue description

VULNERABILITY DETAILS
'About:blank' Address Bar URI Spoofing allows an attacker to show dangerous content on the page with URL 'About:blank'.
User can interact with the fake 'about:blank' page.


VERSION
Chrome Version: 57.0.2987.133 stable
Operating System: Mac OS X(latest)
Exploit works in Google Chrome Canary 60.0.3090.0 and Chromium-based browsers for Mac OS X too.

REPRODUCTION CASE
Open attached to this report HTML file in Google Chrome.

 
index_big_location_hash.html
946 bytes View Download
Components: UI>Browser>Omnibox
Labels: Needs-Feedback
Can you elaborate on which part of this you would consider a URL spoof, and how specifically the repro works? (e.g. is the user supposed to click the alert immediately? Is the alert considered part of the repro?)

The web platform, by design, allows a page to open a window to about:blank and to write whatever markup it wishes into that window, without changing the displayed URL. Given that by-design capability, a complicated means of placing markup into a window bearing a URL of about:blank doesn't seem very interesting from a security POV.
Sorry, maybe reproduction is not clear. 
Alert isn't a part of the repro. It can be excluded from the code. 
URL of this page (e.g. evildomain.com) changes to 'about:blank' after this page was loaded. 
So page loaded from evildomain.com will be displayed with url 'about:blank'. 
HTML file without alert attached:
index_big_location_hash.html
833 bytes View Download
Project Member

Comment 3 by sheriffbot@chromium.org, May 5 2017

Cc: elawrence@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Example(screenshot): The website was loaded from localhost, but displayed URL changed to 'about:blank'.

Behavior of other browsers:
- Mozilla Firefox throws error about malformed URL.
Снимок экрана 2017-05-05 в 19.29.09.png
52.0 KB View Download
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Mergedinto: 571784
Status: Duplicate (was: Unconfirmed)
This looks like bug 571784. 

Sign in to add a comment